Pri­vacy breach at spy agency leads to train­ing

The Guardian (Charlottetown) - - CANADA -

Canada’s elec­tronic spy agency in­tro­duced manda­tory pri­vacy aware­ness train­ing for all em­ploy­ees in March fol­low­ing an in­ter­nal breach in­volv­ing per­sonal in­for­ma­tion.

When Greta Bossen­maier be­came chief of the Com­mu­ni­ca­tions Se­cu­rity Es­tab­lish­ment in Fe­bru­ary, the ul­tra-se­cret eavesdropping out­fit was un­der in­tense public scru­tiny over al­leged spy­ing on cit­i­zens.

But less than two months into the job, Bossen­maier was in­form­ing the spy agency’s staff of a pri­vacy vi­o­la­tion in­side its own walls.

“I se­ri­ously re­gret that we are in this sit­u­a­tion and never want it to be re­peated,” Bossen­maier told em­ploy­ees in a March 20 email.

“As such, we must use it as a learn­ing op­por­tu­nity so that we can pre­vent any fur­ther in­ci­dents from oc­cur­ring.”

The Ot­tawa-based CSE, which em­ploys about 2,000 peo­ple, uses highly ad­vanced tech­nol­ogy to in­ter­cept, sort and an­a­lyze for­eign com­mu­ni­ca­tions for in­for­ma­tion of in­tel­li­gence in­ter­est to the fed­eral gov­ern­ment.

Doc­u­ments leaked in 2013 by for­mer Amer­i­can spy con­trac­tor Ed­ward Snow­den re­vealed the U.S. Na­tional Se­cu­rity Agency — a close CSE ally — had qui­etly ob­tained ac­cess to a huge vol­ume of emails, chat logs and other in­for­ma­tion from ma­jor In­ter­net com­pa­nies, as well as mas­sive amounts of data about tele­phone calls.

As a re­sult, civil lib­er­tar­i­ans, pri­vacy ad­vo­cates and op­po­si­tion politi­cians have de­manded as­sur­ances the CSE is not us­ing its ex­tra­or­di­nary pow­ers to snoop on Cana­di­ans. The agency in­sists it scrupu­lously fol­lows the law in pro­tect­ing Cana­di­ans’ pri­vacy.

On July 31, 2014, some­one no­ti­fied CSE’s cor­po­rate se­cu­rity of­fi­cials that a file con­tain­ing per­sonal in­for­ma­tion re­lated to se­cu­rity clear­ances was mis­tak­enly given public-ac­cess per­mis­sion mark­ings, mak­ing it ac­ces­si­ble to CSE per­son­nel, ac­cord­ing to Bossen­maier’s email to staff.

An edited ver­sion of her clas­si­fied mes­sage was ob­tained by The Cana­dian Press un­der the Ac­cess to In­for­ma­tion Act.

By Novem­ber an in­ter­nal probe de­ter­mined the breach had po­ten­tially af­fected the per­sonal in­for­ma­tion of 146 peo­ple. How­ever, fur­ther ex­am­i­na­tion led the agency to con­clude in Jan­uary that the sen­si­tive per­sonal in­for­ma­tion of just five in­di­vid­u­als — four CSE em­ploy­ees and one mem­ber of the public — was deemed to be at risk.

“The in­ves­ti­ga­tions de­ter­mined that the in­ci­dent was caused by a com­bi­na­tion of tech­ni­cal and hu­man er­rors,” Bossen­maier told staff. “Sev­eral of CSE’s ex­ist­ing se­cu­rity safe­guards mit­i­gated the risk of the in­for­ma­tion be­ing fur­ther com­pro­mised or re­moved from CSE premises.”

CSE spokes­woman Lauri Sul­li­van de­clined to elab­o­rate on the na­ture of the in­for­ma­tion.

The CSE ad­vised the Trea­sury Board Sec­re­tar­iat, the fed­eral pri­vacy com­mis­sioner and the watchdog that keeps an eye on the spy agency.

In Fe­bru­ary and March, the CSE in­formed the five in­di­vid­u­als, Sul­li­van said in writ­ten an­swers to ques­tions.

“I se­ri­ously re­gret that we are in this sit­u­a­tion and never want it to be re­peated. As such, we must use it as a learn­ing op­por­tu­nity so that we can pre­vent any fur­ther in­ci­dents from oc­cur­ring.” Greta Bossen­maier, chief of the Com­mu­ni­ca­tions Se­cu­rity Es­tab­lish­ment, in an email to staff

“This in­volved ex­ten­sive co­or­di­na­tion be­tween CSE’s Pri­vacy Of­fice, se­nior man­age­ment, se­cu­rity, labour re­la­tions, and CSE’s Coun­selling and Ad­vi­sory Pro­gram.”

The CSE ush­ered in a new pol­icy last Septem­ber on ad­min­is­tra­tive pri­vacy breaches, asked man­agers to re­view ac­cess per­mis­sions on re­main­ing doc­u­ments, and in­tro­duced manda­tory pri­vacy aware­ness train­ing for all staff in March.

The fed­eral pri­vacy com­mis­sioner’s of­fice told the CSE In April that the steps taken were rea­son­able and that no fur­ther ac­tion was re­quired, Sul­li­van said.

Va­lerie Law­ton, a spokes­woman for the com­mis­sioner’s of­fice, con­firmed that it was aware of the in­ci­dent, but added the Pri­vacy Act pre­vented her from say­ing more.

Bossen­maier sent the March 20 email to staff shortly be­fore a brief ac­count of the breach was tabled in Par­lia­ment as part of a broader writ­ten an­swer to a for­mal ques­tion about fed­eral data lapses from New Demo­crat MP Char­lie An­gus.

Sul­li­van said the tim­ing of Bossen­maier’s mes­sage “was di­rectly re­lated to com­plet­ing the process of no­ti­fy­ing the five im­pacted in­di­vid­u­als.”

In her note, Bossen­maier urged staff to re­view the new pri­vacy pro­to­col, take the manda­tory train­ing, ex­er­cise care when as­sign­ing ac­cess per­mis­sions to doc­u­ments, re­main alert to any “se­ri­ous anom­alies” in in­for­ma­tion man­age­ment, and im­me­di­ately re­port any prob­lems.

“We all have a role to play in safe­guard­ing in­for­ma­tion, and I am re­mind­ing you to ap­ply it se­ri­ously to all in­for­ma­tion held by CSE.”

Newspapers in English

Newspapers from Canada

© PressReader. All rights reserved.