Cyberspies mistakenly eyed Canadian for five years
The national cyberspying agency monitored a Canadian citizen, contrary to policy, for several years due to a series of internal mistakes, a newly released watchdog report says.
The Ottawa-based Communications Security Establishment collects a wide array of foreign communications, including phone calls and emails, in search of information of interest to Canada.
The CSE is forbidden by law from directing its activities against Canadians anywhere in the world and must try to protect their privacy when using or keeping intercepted information.
CSE commissioner Jean-Pierre Plouffe, the long-time watchdog over the agency, noticed a privacy lapse that prompted him to conduct an in-depth review.
In his 2018-19 annual report, recently tabled in Parliament, Plouffe says a foreign national who was identified as possibly holding Canadian citizenship was monitored by the CSE from 2010 to 2015.
As part of Canada’s role in the Five Eyes intelligence alliance, the CSE works closely with spy services from the United States, Britain, Australia and New Zealand.
In 2018, one of these agencies, which the report does not identify, drew CSE’s attention to the fact that the issue of the person’s nationality “had not been fully addressed” in 2010 when his or her possible Canadian citizenship was first discovered, Plouffe’s report says.
The CSE then “obtained the necessary information to confirm that the targeted person was indeed Canadian,” the report says.
It is the CSE’s usual practice to protect the privacy of people who are identified as possibly Canadian in the same way as those whose citizenship is confirmed, Plouffe says.
He found that CSE analysts did not knowingly target the Canadian and that a series of factors led to the agency’s error. Among them: the incident was discovered over a holiday, separate targeting teams responsible for different technical aspects of collecting information did not properly co-ordinate their responses, and the CSE failed to identify the possible Canadian as such in its targeting database.
Ultimately, Plouffe found that although the CSE complied with the law, the incident highlighted gaps in the agency’s information management, privacy-protection procedures and policy guidance related to targets who might be Canadian but whose status is in question.
He says the risk of such an error recurring is low given the CSE has taken several steps to avoid inadvertently targeting Canadians now, including adopting new tools and information-management procedures.