The CSE Commissioner's 2014-15 Annual Report was finally tabled today, nearly 10 months after the end of the fiscal year covered by the document.
There is a lot that's interesting in the report, but the big news—which was actually in the press release from the Commissioner's office that accompanied the report rather than in the report itself—is that the Commissioner has declared that "CSE's failure to minimize certain Canadian identity information prior to it being shared with its partners did not comply with paragraph 273.64(2)(b) and section 273.66 of the [National Defence Act], and, as a consequence, did not comply with section 8 of the Privacy Act. The Commissioner therefore exercised his legal duty under paragraph 273.63(2)(c) of the NDA and informed the Minister of National Defence and the Attorney General of Canada of this non-compliance with the law."
In plain language, the Commissioner declared that CSE had failed to comply with the law.
In the 20 years since the office was first created, no CSE Commissioner has ever made such a declaration before.
The Canadian Identity Information in question was contained in "certain types of metadata" that "were not being minimized properly before being shared with CSE's partners in the United States, the United Kingdom, Australia and New Zealand", presumably throughGLOBALREACH. The exact nature of the metadata involved has not been revealed.
According to the Commissioner and CSE, CSE identified the problem in late 2013, reported it to the Commissioner, and suspended the data transfers pending a solution to the problem, which Defence Minister Sajjan described today as being caused by "technical deficiencies in CSE systems". These deficiencies must be quite fundamental, however, as it is now 2016 and the problem remains unresolved.
The press release from the Commissioner's office also reports that, "while the Commissioner stated he believes the actions of CSE [in transferring the unminimized metadata] were not intentional, it did not, however, act with due diligence when it failed to ensure that the Canadian identity information was properly minimized." This seems to be the basis of the Commissioner's conclusion that, in this instance, CSE did not comply with the law, whereas in earlier casesunintentional violations of the law have not been characterized as non-compliance.
Perhaps the Commissioner was especially annoyed in this case because in 2013 his predecessor had assured Canadians that "in its reports, and in other information [e.g., metadata] CSE shares with its domestic and international partners, CSE must render impossible the identification of Canadians, and I verify that this is done. As noted in my report last year, I have found that CSE does take measures to protect the privacy of Canadians in what it shares with its domestic and international partners." [Quotation updated 29 January 2016 for reasons of terminological exactitude. HT to WG.]
The Commissioner's declaration that CSE did not comply with the law brings to an abrupt and welcome end the nearly 20-year-old Ottawa tradition of deflecting all questions about CSE activities with the refrain that "the independent CSE Commissioner has always found CSE to be in compliance with the law". (It looks like this blog post is going to need some revision.)
I'll comment on some of the other interesting and significant elements in the 2014-15 report in future posts.
Related coverage and commentary:
- Jim Bronskill, "Canada’s electronic spy agency broke privacy law by sharing metadata, watchdog says," Canadian Press, 28 January 2016
- Robert Fife & Colin Freeze, "Canada's spy agencies broke surveillance laws, watchdogs reveal," Globe and Mail, 28 January 2016
- Justin Ling, "Canadian Spies Get Spanked Again For Sharing Citizens' Data With the NSA," Vice News, 28 January 2016
- "Canada's electronic spy agency stops sharing some metadata with partners," CBC News, 28 January 2016
- "Electronic spy agency stops sharing information with partners over privacy concerns," CTV News, 28 January 2016
- Monique Muise, "Watchdog says electronic spy agency shared info about Canadians," Global News, 28 January 2016
- "Canadian intelligence agency stops sharing metadata with foreign intelligence agencies following revelations that shared information was not being sufficiently protected," OpenMedia news release, 28 January 2016
Update 29 January 2016:
- Alex Boutilier, "Canada’s electronic spy agency broke privacy laws, watchdog says," Toronto Star, 28 January 2016. Note the discussion of CSE's accompanying "technical briefing": "A high-ranking CSE official, who Thursday gave a technical briefing on the condition they not be named, described the issue as a technical glitch discovered in late 2013.... While CSE downplayed the severity of the breach — saying the privacy impact was “low” — it was significant enough to prompt the first press briefing in the agency’s 70-year history." A good point.
As for CSE's insistence on no use of names, if I had to guess, I'd say the speaker was probably Shelly Bruce. After all, what "high-ranking" CSE official would be better for speaking to this issue than the Deputy Chief who is in charge of the SIGINT program at the agency? (It might also explain why the Toronto Star used "they" as the pronoun in this instance.) But if it was Bruce, why insist on non-attribution? As the link shows, Bruce's name and position are not in any way secret. Maybe it wasn't Bruce, in which case the non-attribution might make some minimal amount of sense.
Update 31 January 2016:
Here are the speaking notes for high-ranking CSE official They Who Must Not Be Named. Minor quibble: CSE will be celebrating its 70th birthday on 1 September 2016. It's a bit premature, therefore, to declare in January 2016 that "CSE has been at work, protecting Canada and Canadians, for over 70 years."
Update 1 February 2016:
Update 4 February 2016:
- Tamir Israel & Christopher Parsons, "Why We Need to Reevaluate How We Share Intelligence Data With Allies," Just Security, 3 February 2016