Information about Canadians was shared to foreign governments by Canada’s Communications Security Establishment, according to the federal watchdog reviewing the activities of the electronic surveillance agency.

This came to light with the release of a report yesterday by CSE Commissioner Jean-Pierre Plouffe who found several deficiencies in how the Ottawa-based agency collected and handled metadata pertaining to Canadians. The report covered the period between 2014 and 2015. Plouffe, who has been CSE commissioner since 2013, has made eight recommendations to improve the way the CSE operates.

Jean Pierre Plouffe
Jean-Pierre Plouffe

“I have met with Mr. Plouffe, and advised him that I support his recommendations,” Minister of National Defence Harjit Sajjan, said in a statement today. “CSE discovered, on its own, that certain types of metadata were not being properly protected prior to sharing with allies, due to technical deficiencies in the CSE system.”

The CSE, which is administered by the Department of National Defence (DND), is responsible for intercepting, collecting and analyzing foreign signal intelligence (SIGINT) and protecting Canadian government electronic information and communications networks. By law, it is prohibited from directing its operations on Canadians. The agency provides intelligence information to Canadian government clients but it also shares some information with so-called Five Eyes partners (an intelligence alliance comprised of Australia, Canada, New Zealand, United Kingdom and the United States) and non-Five Eyes, second party partners.

Data sharing with partners suspended

Metadata is information associated with communications that are used to identify, describe, manage or route that communication. It includes, but is not limited to, a telephone number, an email or IP (Internet protocol) address, network and location information.

“CSE will not resume sharing this information with our partners until I am fully satisfied the effective systems and measurements are in place,” said Sajjan.

In his review of the CSE, Plouffe said he found that “metadata ministerial directives lack clarity regarding the sharing of certain types of metadata with Five Eyes partners, as well as other aspects of CSE’s metadata activities.”

“In addition, while I was conducting this current comprehensive review, CSE discovered on its own that certain metadata was not being minimized properly,” he said.

Metadata was not minimized

Minimization is a process by which Canadian identity information contained in metadata is rendered unidentifiable prior to being shared, according to Plouffe. It is a privacy protection measure which the CSE is expected to implement as a matter of ministerial directive.

“Therefore, the fact that CSE did not properly minimize Canadian identity information contained in certain metadata prior to being shared was contrary to ministerial directive and to the CSE’s operational policy,” according to the commissioner.

Plouffe also said that his review revealed that there was a lack of proper record-keeping in the CSE’s process.

He also found incidents of procedural errors in handling of information and that policies and procedures relating to the retention of private communications “were not followed in some instances.”

Impact unclear

The report was not clear on the volume of data or the number of Canadians impacted by these lapses. Plouffe also said that he believed CSE personnel were not intentional in their failures.

Among Plouffe recommendations were the improvement to the clarity of ministerial directives, the removal of ambiguities regarding the CSE’s to conduct IT security activities that risk the interception of private communication, and the update of process documentation and development.

He also said “CSE should develop caveats” to attach to specific operational material that may be shared with Second Party partners to ensure the information would not be used without expressed authorization from CSE.