Spy agency cagey on privacy breaches
Bureau won’t put a number on cyber-snoops since 2007
OTTAWA — The Communications Security Establishment is refusing to release the number of privacy breaches the agency has logged since 2007.
Documents obtained by the Star state the intelligence and cyber defence agency has maintained a central database for certain privacy violations since 2007. These breaches are categorized as minor “procedural errors” or more serious “privacy incidents,” and reviewed by the CSE Commissioner’s office every year.
“In these files, CSE records any incidents it identifies that put at risk the privacy of a Canadian in a manner that runs counter to (or is not provided in) its operational policies,” says a September 2014 letter from former CSE chief John Forster to a senior Treasury Board official.
The Star requested just the number of breaches — no details about what actually transpired or the Canadian personal information involved — but was told the agency could not comply due to “operational security concerns.”
“Releasing the number of (breaches) would provide insight into CSE’s capacity to conduct operations, the extent of its capabilities, the degree to which partner organizations benefit from sharing and the reach of the programs,” wrote spokesperson Ryan Foreman in an email last week.
CSE is one of Canada’s most technologically sophisticated agencies, responsible for collecting foreign intelligence and protecting Canadian networks from cyber attacks. It is forbidden to use its surveillance tactics against Canadian citizens, except under specific circumstances.
But disclosures from U.S. whistleblower Edward Snowden have aroused suspicion about CSE’s tools and tactics as part of the Five Eyes alliance that also includes the U.S., U.K., Australia and New Zealand.
Documents tabled in Parliament last month show CSE logged 13 privacy and information breaches in 2015, affecting at least 630 individuals. The agency did not report any of the privacy breaches to the federal privacy commissioner, as CSE determined that there was “no significant risk” to the individuals involved.
CSE further refused to report the activities that led to the breaches.
The Star reported Sunday that the agency has been in a year-long debate with the Privacy Commissioner Daniel Therrien’s office over how much information CSE is required to report about privacy breaches. A government-wide regulation requires all serious breaches to be reported to the privacy watchdog, but a “discussion” about how best to do that has been dragging on since at least January 2015.
On Monday, NDP foreign affairs critic Hélène Laverdière asked Defence Minister Harjit Sajjan to explain why CSE is resisting turning information over to Therrien’s office.
“CSE has proactively worked with the commissioner on all aspects, and they do have a good working relationship,” said Sajjan, who is responsible for the intelligence agency. “CSE abides by Canadian law, including the Privacy Act.”
Wesley Wark, a professor at the University of Ottawa specializing in security and intelligence matters, said reviewing CSE’s privacy breaches has typically fallen to the CSE commissioner, rather than the privacy watchdog.
“Really, the protection of privacy role, in terms of external review, has de facto been given to the CSE commissioner,” Wark said in an interview last week.
The 12-person team at CSE Commissioner Jean-Pierre Plouffe’s office is mandated to ensure that CSE complies with Canadian law.