News

Canadian Spies Get Spanked Again For Sharing Citizens’ Data With the NSA

They won’t tell us what it means, but the Canadian government has confirmed that its spy agencies have a real problem with mass-collecting its citizens’ metadata.

They won’t say how many Canadians were affected, what processes led to the mass-spying, how much information was shared with international intelligence agencies like the NSA, or even how they define “metadata.” But they’re confident everything will be okay.

Videos by VICE

After news broke that untold number of Canadians had their private information collected by a top-secret intelligence agency, Minister of National Defence Harjit Singh Sajjan told reporters even he didn’t know how far it went.

“We can’t give you the actual number because, the way I was informed, by us actually trying to dig into that answer itself, we will be actually violating the law on digging up that type of information.”

“We can’t give you the actual number because, the way I was informed, by us actually trying to dig into that answer itself, we will be actually violating the law on digging up that type of information,” Sajjan said.

Two heavily-scrubbed reports released Thursday, looking into activities of the Communications Security Establishment (CSE) and the Canadian Security Intelligence Service (CSIS) in the 2014-2015 fiscal year.

The two review agencies that conducted the reports, which have a combined staff of just 30, paid special attention to how the two spy shops were using, and misusing, Canadians’ metadata.

CSE, which handles signals intelligence and deals directly with the National Security Agency (NSA), had its knuckles rapped over its classified metadata collection program.

The collection process, according to Thursday’s report, led to Canadians’ information being grabbed, likely from the very backbone of the internet, and being passed on to agencies in other Five Eyes countries like the NSA.

This, despite the fact that the law specifically forbids CSE from targeting Canadians, or holding on to their information without a valid authorization.

Related: How Canadian Spies Infiltrated the Internet’s Core to Watch What You Do Online

This breach was hardly an earth-shaking revelation for most intelligence-watchers in Canada. Details of CSE’s metadata-collection program, and its penchant for funneling that data to its closest intelligence partners — New Zealand, Canada, Australia, the United States, and the United Kingdom — has been raised in the past, but was especially highlighted in the Edward Snowden leaks.

Various reports on these programs have been published by the Canadian Broadcasting Corporation — while others have been withheld for unknown reasons. One report in particular raised eyebrows: A presentation leaked by Snowden on a powerful data-collection process inserted by CSE right into the fibre optic cables that make up the world-wide infrastructure that comprises the internet.

It is technically impossible that CSE, in collecting vast sums of data from the very core of the internet, was not scooping up Canadians’ private information as well.

The CSE Commissioner report published today did not make explicit reference to that program, but it may be what led to CSE’s trouble.

The Commissioner said CSE discovered, all on its own, that it was collecting Canadians’ data and passing it along to the Five Eyes — which is quite against the rules — coincidentally while he happened to be investigating a related matter, also stemming from the Snowden leaks.

CSE said it immediately stopped sharing information gleaned through that method after discovering the problem. It has yet to be restarted.

At a background briefing with reporters, a senior official with CSE wouldn’t say the extent to which Canadians’ privacy was breached.

One thing the Commissioner did look into were reports, from the Snowden leaks, that suggested CSE was experimenting with a program that tracked travellers who logged onto airport wifi hotspots in Canadian and American airports, which could give them the ability to scrape untold amounts of data from their cellphones.

“I decided to investigate the matter,” wrote Commissioner Jean-Pierre Plouffe in his most recent report. He eventually, after technical briefings with CSE, concluded that the program was designed to collect foreign intelligence and that “CSE took measures to protect the privacy of Canadians in this activity.”

But much like its other metadata collection programs, it’s unclear how that can be true.

As Plouffe wrote, CSE can “minimize” Canadians’ data that CSE gets its hands on. In doing so, they make it “unidentifiable.” The senior official from CSE said that information would be really, really hard for other agencies to decrypt.

Ultimately, Plouffe’s report, which covered a period that ended nearly a year ago, addresses few of the questions that have long followed CSE. A notable one: what is metadata?

The Commissioner’s definition says metadata is “information associated with a communication that is used to identify, describe, manage, or route that communication. It includes, but is not limited to, a telephone number, an email or an IP (internet protocol) address, and a network and location information.”

As Plouffe, the government, and CSE all agree: metadata does not include content.

However, metadata can include everything from GPS coordinates, search history, log-in information, hardware serial numbers, travel history, the identities of anyone you contact, and a realm of other things.

Even Plouffe admitted that no one really knows how CSE defines metadata. A five-year-old order from former Minister of National Defence Peter MacKay outlined how CSE should treat metadata. But as Plouffe notes, that order “lacks clarity” when it comes to how the metadata is collected, dealt with, and shared.

“For example, it does not define key terms, and fails to differentiate between other terms that, while similar in definition, are implicitly distinct concepts.”

“For example, it does not define key terms, and fails to differentiate between other terms that, while similar in definition, are implicitly distinct concepts,” he wrote.

A report, released the same time, from the Security Intelligence Review Committee — the review body for CSIS, which does human intelligence, but has recently begun more actively espionage activities worldwide, including some signals intelligence — uses the same definition for metadata as CSE. But CSIS, unlike CSE, has to get a court order in order to collect that information.

It turns out that those warrants, which are secret, allow CSIS to collect and use the metadata of Canadians who have little to do with the investigation, so long as it “may assist” them in their investigation. This is all done through unknown “specialized surveillance technology and associated CSIS tradecraft.”

Related: Secret Documents Reveal Canada’s Spy Agencies Got Extremely Cozy With Each Other

When it comes to CSE, Plouffe made a host of recommendations on how to fix these issues. Since 1997, the Commissioner’s office has made 156 recommendations, and CSE has “accepted and implemented or is working to address 93 percent,” but it never reports on how many it has actually adopted.

From the last two years, for example, there are 15 recommendations that have not yet been actually met.

VICE News asked Minister Sajjan directly what he intended to do, if anything, to reform how CSE is allowed to spy.

“It’s important to note that the type of metadata that we’re talking about, no content is included in that,” he answered, continuing by highlighting the counter-terrorism and cyber-security utility that metadata poses. “I have accepted all the recommendations and we will laying out a plan shortly for it.”

The government has promised to reform how Canada oversees intelligence collection, citing SIRC and the Commissioner’s authorities as woefully insufficient. While details yet to be released, the Liberals had promised to strike an all-party Parliamentary committee that would study these sorts of intelligence-collection activities, akin to what exists in the United States and United Kingdom.