Wednesday, May 28, 2014

CSEC data banks on Canadians

Jim Bronskill reports on a CSEC data bank that contains information about Canadians ("CSEC gathers personal info while defending against cyberattacks," Canadian Press, 28 May 2014):
Canada's electronic spy agency says it gathers and sometimes keeps personal information — including names and email addresses of Canadians — as part of efforts to protect vital networks from cyberattacks.

Communications Security Establishment Canada maintains an information bank containing the personal information of "potentially any individual" who communicates electronically with a key federal computer network while CSEC is assessing its vulnerability.

Information in the bank — known as CSEC PPU 007 — is held for up to 30 years before being transferred to Library and Archives Canada, says a description in the federal Info Source guide, which lists the various categories of personal information held by the government.

"Personal information may be used to assess potential threats to information technology systems subject to the assessment, and to help ensure the security of these electronic systems," the notice says.

The listing sheds light on a little-known aspect of CSEC's work — threat assessments and technical analyses aimed at strengthening federal defences against foreign cyberattacks on government computers.


The Info Source listing says personal information collected by CSEC during cyberdefence efforts may include a person's full name, email address, Internet Protocol (or IP) address and any incidental personal details contained in electronic routing codes, or metadata.

Information from the data bank may be shared with domestic police agencies "or foreign bodies" in keeping with formal agreements, the listing says.
CSEC also has a second data bank, CSEC PPU 040, that was not mentioned in the Bronskill article. PPU 040 contains "personal information [about Canadians] relating to sensitive aspects of Canada's international relations, security and defence" that CSEC has collected during the course of its foreign intelligence activities. Unlike the information in PPU 007, the information in PPU 040 is retained "indefinitely".

More information about the two data banks can be found here.

The 1988 version of the blurb concerning PPU 040 was marginally more descriptive, stating that the data bank "contains information concerning individuals identified as potential risks to national security", as well as containing "personal information relating to sensitive aspects of Canada's international relations and defence."


Post a Comment

<< Home