Tuesday, August 05, 2014

CSEC and data on Canadians

Globe and Mail reporter Colin Freeze has written a pair of interesting articles on CSEC's collection of data concerning Canadians: "Canadian intelligence sweeps often intercept private data, spy document reveals," Globe and Mail, 31 July 2014, and "CSEC won’t say how long it keeps Canadians’ private data," Globe and Mail, 4 Augusr 2014).

The first article looks at the interception of private communications and other information about Canadians during CSEC's Mandate (b) (cyber defence) operations to protect government information systems and networks:
In its fight against Chinese espionage and other cyberthreats, Canada’s electronic-intelligence agency intercepts citizens’ private messages without judicial warrants.

A 22-page “Operational Procedures for Cyber Defence” document obtained by The Globe speaks to just how Communications Security Establishment Canada (CSEC) can log, store and study volumes of electronic communications that touch government computer networks – including the “private communications” of Canadians not themselves thought to be hackers.


Intelligence officials, who say they never “target” Canadians, argue they need to make use of domestic communications to pinpoint threats.

“We take strict measures to protect the privacy of Canadians,” said Ryan Foreman, a spokesman for the agency. “… The total number of private communications used and retained is classified,” he said, but added that CSEC only keeps such messages “if they contain or are suspected to contain malware or other threats.”


While it is a crime for other federal agents to snoop on Canadians’ private communications without a warrant, CSEC has a get-out-of-jail-free card. In 2001, Parliament passed a law saying its interceptions are beyond Criminal Code constraints, so long as the politician running the Defence Department signs what’s known as a “ministerial authorization.”

Not much is known about how such powers have been used over the past 13 years, beyond giving CSEC leeway to intercept citizens’ full communications without criminal consequence. (Grabs at telecommunications traffic, or “metadata,” are accomplished by CSEC under different legal reasoning.)

Seeing interception of private communications as an inevitability, CSEC takes pains to handle them with care. The cyberdefence operations document says strict steps must be followed, not just by CSEC employees, but also by outside contractors and “secondees” from other agencies.

The process starts when a federal “client” department writes CSEC requesting a cyberdefence operation. The spy agency then warns of how its tools may risk intercepting private communications. Captured communications considered private can be retained, analyzed or even shared by CSEC if they meet the threshold of being either “relevant” or “essential.” Any “Canadian identity information” is usually kept secret in such exchanges.
This article prompted a rare riposte from CSEC Chief John Forster, who charged that it "mischaracterizes how our organisation protects Government of Canada systems and networks and ignores the measures that Communications Security Establishment (CSE) has in place to protect the privacy of Canadians - including that all of our activities are reviewed by the independent CSE Commissioner to make sure we act lawfully and protect Canadians’ privacy."

I expect the Globe and Mail thanked Forster for his input and told him to come back when he could point to something specific that the article got wrong.

You can read CSEC's own explanation of its cyber activities and privacy protections here and here.

The second article examines the rules concerning how long CSEC can hold on to data about Canadians:
The federal government’s secretive electronic intelligence agency is not disclosing how long it can hold onto Canadians’ communications – even though its leaders have said that “firm” time limits are in place to protect privacy.

The strictures surrounding Communications Security Establishment Canada’s data-retention periods – including those affecting recognized “private communications” and also “metadata” – are blacked out from an operational document obtained by The Globe and Mail.

The redactions of this document are so extensive that little is revealed, beyond the latest indication that CSEC is drawing from unspecified sources within Canada.

“The retention schedules outlined in these procedures deal with SIGINT [signals intelligence] data acquired from Canadian [word redacted] sources,” it says.

CSEC came under fire this winter for violating privacy, after a leak showed that a “Canadian special source” – never described further – had helped the agency identify and track Internet-using devices that had passed through a Canadian airport.

In February, CSEC chief John Forster responded to criticisms by telling a parliamentary committee that such activities are fully legal, and in keeping with the secret orders the agency gets from Minister of National Defence Rob Nicholson. “The data wouldn’t be retained any longer than we needed it for that exercise, and the ministerial directive has a firm end-of-retention date,” he said.


The “Retention Schedules for SIGINT Data” document, newly disclosed under Access to Information laws, indicates a complex calculus is at play.

A chart where boxes are largely blacked out suggests that retention periods can differ depending on which of the CSEC’s three mandates is engaged to intercept communications – foreign intelligence, cyber defence, or in helping other federal agencies.

Retention periods are also governed by whether CSEC intercepts full communications or just “metadata” traffic, whether the underlying information is considered “essential” – and especially whether a known “private communication” of a Canadian has been caught.
The document that was released, OPS-1-11: Retention Schedules for SIGINT Data, has been placed online by Freeze and can be found here.

Although the details have all been redacted, we do know something about the maximum time periods during which some such information can be retained.

According to the description of CSEC's PPU 040 databank, which holds information about Canadians that is considered relevant to CSEC's foreign intelligence reporting, such information can be "held indefinitely".

By contrast, information retained about Canadians that was collected during CSEC's cyber defence operations, which is held in the PPU 007 databank, "is held for up to thirty years then transferred to LAC [Library and Archives Canada]."

Jim Bronskill of the Canadian Press recently reported on PPU 007.


Post a Comment

<< Home