Cyber spies fall short on protecting Canadians' privacy after breaches, says new report

CBC

March 5, 2021 at 5:06 p.m.·5 min read

The Communications Security Establishment complex is pictured in Ottawa on October 15, 2013. The CSE gathers foreign signals intelligence. (Sean Kilpatrick/Canadian Press - image credit)

Canada's foreign signals intelligence agency has been falling short when it comes to containing the damage done by privacy breaches, says a new report from the intelligence sector watchdog.

The findings are found in a redacted report from the National Security and Intelligence Review Agency (NSIRA) looking into reported breaches of Canadians' privacy by the Communications Security Establishment (CSE). The report was made public this week.

The CSE gathers foreign signals intelligence — or SIGINT, to use the intelligence sector's term for it. Its mandate specifically limits it to monitoring online activity abroad. The agency also has been tasked with protecting critical government infrastructure from hackers and state-sponsored attacks.

Given the sensitive nature of its work, CSE has to catalogue every incident of its activities putting the privacy of Canadians, or of any individual in Canada, at risk.

The watchdog agency wrote that it understands privacy incidents are unavoidable due to the nature of CSE's work, but it flagged problems with the way CSE treats breaches — and warned that there's nothing stopping systemic incidents from reoccurring unless changes are made.

"The mitigation, documentation and reporting of privacy incidents was inconsistent and did not always meet the transparency and accountability objectives set out in CSE internal policy," said the NSIRA report.

"Moreover, incidents were not always assessed with a view to determining the impact on lawfulness and/or the privacy of Canadians."

CSE-watcher and Citizen Lab Research fellow Bill Robinson said the report shows that the spy agency isn't doing enough to clean up after it makes a mistake that leads to a privacy breach.

"We're talking about when they make mistakes and information about average Canadians ends up getting reported by them, or otherwise gets into people's inboxes or ... where it shouldn't be," he said.

"And then, what do they do when they find out about that and how do they try to prevent that from happening? And the report suggests they're not doing a very good job of that.

"It's kind of a damning report for CSE."

CSE failing to follow up, says NSIRA

While many details are blacked out in the report, NSIRA said it observed incidents of data containing Canadian identity information being incorrectly shared, and of foreign intelligence products created through inadvertent targeting of Canadians. CSE would cancel or delete the information without checking to see of the information had been used, said the report.

"Cancelling a SIGINT product, in NSIRA's opinion, is insufficient to mitigate the potential harm arising from inadvertently including Canadian information within a report," said the report.

'While the potential harm is limited from the moment the report is cancelled, information with a Canadian privacy interest might still have been used prior to the product's cancellation."

That failure to follow up could have real consequences, said Robinson.

"They don't check on asking what they've done with the information, which could be putting somebody on a no-fly list. Or it could be putting them on a 'kill them with a drone' list in the worst case," he said.

A spokesperson for CSE said the agency has either implemented or is in the middle of introducing policy changes and technical fixes to address privacy incidents going forward.

"We have accepted NSIRA's recommendation to modify and update our approach on reporting on privacy incidents, so that an incident report is completed for every incident with a Canadian privacy interest," said Evan Koronewski in a statement to CBC News.

"CSE's operational policies establish specific measures to protect the privacy of Canadians and persons in Canada in the acquisition, use and retention of information. To ensure our staff understand and abide by our operational policies, we regularly train, test, and verify their knowledge and compliance."

NSIRA said the number of breach incidents has nearly doubled over the previous year. It said CSE's failure to assess these incidents amounts to a "gap in responsibility" for the spy agency.

Koronewski said some of the incidents CSE self-identified were simple errors.

"CSE's robust and layered approach to privacy protection contributes to an operational environment resulting in a relatively small number of inadvertent privacy incidents," said Koronewski.

"Some of these incidents are unfortunately a result of simple errors, which requires information to be updated and/or corrected."

As part of its the review, the oversight body's staff reviewed incident files between July 1, 2018 and July 31, 2019 involving information about a person or business in Canada that was handled in a manner counter to CSE's mandate, and cases involving a Canadian or a person in Canada involving the Five Eyes alliance. It also looked at cases where CSE improperly handled information about a Canadian or a person in Canada — but the information was kept from leaking out.

Leah West, a former federal lawyer turned assistant professor on national security issues at Carleton University, said cases involving allies instead of adversaries do not absolve CSE of responsibility.

West cited the case of Maher Arar. The engineer was detained by the U.S. in 2002 and deported to Syria, where he was tortured and interrogated on false terrorism allegations. A judicial inquiry found the RCMP had given misleading information to U.S. authorities.

"We just have to look at the Maher Arar incident to see where information can be shared with an ally about a Canadian that has significant implications for that Canadian once they're outside our jurisdiction. So it's not that this stuff doesn't matter," she said.

"There was a lot of stuff in this report that made me question how much is being done here for purely for the sake of compliance, rather than the deeper understanding of the trust that we put in CSE to be able to collect this information and to keep that information safe, and to collect only that information that it's absolutely necessary, especially when it comes to information that impacts the privacy of Canadians."

CSE's privacy issues were also flagged in NSIRA's annual report late last year.

HuffPost
Donald Trump Flips Out Over Barron’s Graduation Ban. Here's What The Judge Really Said.
The former president's disingenuous spin on his hush money trial whipped up anger on the right, including from his other sons Don Jr. and Eric.
8 hours ago
HuffPost
Ex-Aide Sums Up Donald Trump’s Attitude To Melania Trump With 3 Words
Stephanie Grisham also recalled a telling telephone call the former president made about his wife.
a day ago
Yahoo News UK
Julia Fox criticised over 'disgusting' vagina bikini outfit by FGM campaigners
Julia Fox has been accused of wearing the trauma of female genital mutilation survivors in her provocative outfit that shows a sewn-up vagina.
a day ago
BANG Showbiz
OJ Simpson ‘paid mobsters to murder ex-wife Nicole Brown’
A key police witness in the OJ Simpson double-murder case has said the former NFL star paid gangsters from one of history’s most maniacal mafia mobs to slaughter his ex-wife Nicole Brown.
2 days ago
USA TODAY Opinion
Thank you, Donald Trump, for fighting for my right to be embroiled in a hush money scandal
I thank PRESIDENT Donald Trump for having the guts to stand up for my right to face allegations that I slept with an adult film star.
22 hours ago
HuffPost
Viewers Think Laura Ingraham Just Made A Big Admission Of Guilt For Trump
The Fox News host got called out for her characterization of Trump's relationship with Stormy Daniels.
6 hours ago
The Daily Beast
Gloves Off! DA Wants Trump Punished for Contempt on Day 1
Photo by Jabin Botsford-Pool/Getty ImagesThe Manhattan District Attorney’s Office wants the judge overseeing the first trial against a former American president to start it off with a lunging attack, asking the court to personally sanction Donald Trump for his verbal onslaught against witnesses in the case.Shortly after noon, Assistant District Attorney Christopher Conroy formally asked the judge to fine Trump “$1,000 for each post that violates the court order,” “direct the defendant to take do
a day ago
HuffPost
Jimmy Kimmel Turns 1 Of Trump’s Biggest Insults Against Him After Bizarre Court Moment
The late-night host also unveiled some damning new nicknames for the former president.
10 hours ago
Futurism
Trump Supporters Horrified as the Value of Their "Truth Social" Stock Evaporates
Screaming Into the Void Despite an astronomical number of red flags, investors who poured their hard-earned cash into former president Donald Trump's Truth Social meme stock are experiencing a rude awakening. As the Washington Post reports, Trump supporters are seething as the value of the social media platform's parent company Trump Media & Technology Group (TMTG) […]
a day ago
Hello!
Johnny Depp is all smiles as he holds hands with co-star Maiwenn at star-studded premiere
Pirates of the Caribbean actor Johnny Depp was all smiles on Monday as he stepped out to attend the UK premiere of Jeanne du Barry alongside his co-star Maiwenn. See photos...
4 hours ago
The Daily Beast
Trump Wanted to See Crowd Outside Trial. He Got 50 Randos.
Spencer Platt/GettyOutside the Manhattan Criminal Court on Monday, a “Christian conservative rapper” who identified himself as “Shawn DVS 7.0” awaited the arrival of Donald Trump.“Sometimes I have my disagreements with Trump, but nobody compares,” he said, resting a full-size American flag pole on his shoulder. Democrats, he added, “couldn’t get him with collusion, they couldn’t get him with all the other stuff before, so now they’re going with all these side angles.”He was one of about 50 Trump
a day ago
People
Controversial TikToker Kyle Marisa Roth Has Died, Family Announces: 'Loved and Lived Fiercely'
The TikToker's family announced her death on April 15 in a series of posts on social media
21 hours ago
HuffPost
Maggie Haberman Details Donald Trump’s ‘Pretty Specific Stare At Me’ During Trial
The New York Times reporter also explained what will make the former president “deeply uncomfortable” during his hush money trial.
10 hours ago
Hello!
King Charles's big change at Sandringham will affect Princess Kate and Prince William's home
King Charles plans big change at Sandringham estate which will affect Kate Middleton and Prince William's property, Anmer Hall. Details...
a day ago
CNN
Trump says $175 million bond is financially secure, asks judge to reject New York attorney general’s challenge
Lawyers for former President Donald Trump said his $175 million bond posted to satisfy the judgement in the New York civil fraud case is financially sound, and they asked the judge to set aside the attorney general’s challenge to the bond and award him costs and fees.
13 hours ago
The Daily Beast
Jake Tapper Cracks Up Over Impression of Jury Candidate Who ‘Hated’ Trump
CNNCNN’s Jake Tapper was met with an impersonation of an Irish woman when he brought on a former lawyer for Donald Trump to discuss the process of selecting jurors in front of a judge.William Brennan, an attorney who represented Trump during the 2022 Trump Organization trial, spoke to Tapper on Monday about his experience evaluating potential jurors in the case. That experience apparently included an introduction to a 40-something Irish woman who had strong opinions about the twice-impeached for
19 hours ago
The Daily Beast
Trump Campaign Insists Mid-Trial Snooze Never Happened
Jabin Botsford-Pool/Getty ImagesThe Trump campaign furiously denied suggestions that he had fallen asleep during the first day of his historic criminal trial—calling the suggestion “fake news” while claiming falsely that the reporters who noted his sleepy courtroom demeanor weren’t even in the same room when it happened. “This is 100% Fake News coming from ‘journalists’ who weren’t even in the court room,” the Trump campaign said in a statement Monday shortly after proceedings concluded.The New
23 hours ago
HuffPost
Maggie Haberman Recalls Donald Trump 'Literally Poking At' Alina Habba In Frustration
CNN legal analyst Elie Honig suggested what to watch out for during the former president's hush money trial.
a day ago
HuffPost
Stephen Colbert Spots Exact Moment Donald Trump’s Brain Shut Down Completely
“The Late Show” host mocked the ex-president for an awkward verbal stumble at a campaign event.
11 hours ago
Associated Press
Las Vegas lawyer and wife killed amid custody fight for children from prior marriage, family says
A Las Vegas lawyer and his wife had been in the middle of a contentious battle for custody of her children from a previous marriage when the woman's former father-in-law, also an attorney, fatally shot them last week during a deposition hearing in the case, according to authorities and relatives. The coroner's office in Las Vegas identified the victims as lawyer Dennis Prince and his wife, Ashley. Both were shot multiple times, the coroner's office said, before 77-year-old Joseph Houston shot and killed himself.
19 hours ago

Latest Stories