UPDATE: The Canadian Communications Security Establishment (CSE) has revised its report on privacy incidents, now reporting a total of 137 incidents for 2022-23. This article has been updated to reflect the correction.
In the last fiscal year, Canada’s electronic intelligence agency, the Communications Security Establishment (CSE), identified 137 privacy incidents, including 23 attributed to a Five Eyes partner agency.
Following privacy concerns, the CSE temporarily halted the sharing of “metadata” with close security partners. However, the program has now resumed.
A privacy incident can range from minor procedural errors, such as mislabeling data, to more serious breaches involving sensitive information. The severity of the 137 incidents in 2022-23 is not specified in the CSE’s report.
Metadata refers to information related to electronic communications, such as IP addresses, timestamps, phone numbers, and email addresses. While it does not include the content of messages, this information can still be highly sensitive and is considered essential to the CSE’s foreign intelligence mission.
The CSE’s annual report states that the agency has detailed internal policies on handling information related to Canadians. By law, the CSE is prohibited from targeting Canadians or individuals in Canada. However, Canadian information can be incidentally collected through the agency’s surveillance of global internet infrastructure.
The CSE considers even minor privacy breaches as operational privacy incidents and takes steps to rectify them, such as deleting data. The agency logs and tracks these incidents in order to prevent future occurrences.
Prior to this disclosure, the CSE had only recently started publicly reporting the number of privacy incidents it logs each year. In 2021-22, the agency internally recorded 114 incidents and attributed another 33 to a foreign “second party” agency.
Separate reports on the agency’s compliance with privacy laws indicate that a few breaches in the past five years were significant enough to notify Canada’s privacy watchdog. However, no incidents in 2022 met that threshold, according to the CSE.
Robyn Hawco, a spokesperson for the agency, emphasized that the CSE has implemented a range of policies and procedures over the years to protect Canadian privacy. While a single error is unlikely to result in a privacy breach, any occurrence that contradicts or falls outside these measures is considered an operational privacy incident.
The CSE’s work has attracted increased scrutiny due to its advanced electronic surveillance capabilities and revelations about Five Eyes spying operations from Edward Snowden. Although privacy breaches are considered unavoidable given the nature of the work, a 2020 report from the National Security and Intelligence Review Agency noted deficiencies in how the agency handles such incidents.
The CSE’s report also reveals that the agency has resumed sharing metadata with its Five Eyes security partners, which include agencies from the U.S., U.K., Australia, and New Zealand. This sharing was temporarily halted in 2014 when the agency discovered inadvertent sharing of information that could identify Canadians.
According to the report, the CSE acquires metadata as part of its foreign intelligence mandate. While it is prohibited from targeting communications of Canadians, the global information infrastructure can lead to incidental acquisition of information that may identify Canadians.
To minimize the risk of sharing identifiable information, the CSE has implemented a new system that grants them control over shared metadata. Defence Minister Anita Anand emphasizes the importance of intelligence sharing with Five Eyes allies while operating within legal boundaries, given the emerging threats from China and Russia.
Regarding the trustworthiness of the metadata sharing program, Anand highlights the presence of various accountability measures and assures that the sharing of data will occur within the bounds of the law.
© 2023 Global News, a division of Corus Entertainment Inc.
Denial of responsibility! VigourTimes is an automatic aggregator of Global media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, and all materials to their authors. For any complaint, please reach us at – [email protected]. We will take necessary action within 24 hours.