CSE metadata scandal casts doubt on Parliament’s surveillance-oversight credibility

A protester holds a sign reading “Stop Watching All Of Us”. Below is a stylized eyeball, the pupil of which is a handprint held up in a “stop” gesture. (Image credit: Elvert Barnes/Flickr)

If you’re like most Canadians, you’ve never heard of the CSE.

CSIS? Sure, in a vague kind of way – they’re kind of like the Canadian CIA, right? (Not exactly.) But the Communications Security Establishment lacks the widespread recognition of its controversy-entangled American counterpart, the NSA.

Maybe you’ve heard of them? Or their most famous contractor? His leak of NSA documents got this country – briefly – talking about the CSE this time last year when it was revealed that the extremely secretive agency monitors tens of millions of downloads every day.

The CSE, like the NSA, engages in what’s known as “signals intelligence” – monitoring of phone calls and electronic communications. Unlike the NSA, which famously hoovers up whatever it can get its high-tech cybernetic paws on, regardless of the source, CSE faces some restrictions on its surveillance, the most significant of which is that it is not permitted to monitor the communications of Canadian citizens.

But it’s hard to exclude specific sources when you’re scooping up such massive amounts of information. In practice, CSE collects its intelligence pretty indiscriminately, and then it filters out, or “minimizes”, information pertaining to Canadian citizens.

Or at least that’s the idea. In practice, it turns out that CSE has not actually been doing such a good job at “minimizing” that information, and in fact shared it with Canada’s surveillance partners in four other countries for quite some time.

The information that was shared with Canada’s partners in the Five Eyes nations (an intelligence-sharing coalition which also includes the United States, Australia, New Zealand, and the United Kingdom) was metadata, or data about data. For a phone call, it would include information such as the geo-location of the parties of the call, the phone numbers involved, and the duration of the conversation; for email, it would include things like email addresses, IP addresses, date and time, and the subject line. It would not include a recording of the phone call or the full text of the email

This is what CSE discovered it had been (“inadvertently”) sharing with its partner agencies. They say (and we have to take their word for it) that they immediately ceased sharing any information with their Five Eyes partners, a state of affairs which has continued for the past twenty-six months.

What’s extremely disconcerting about this scandal is not CSE’s misbehaviour – of course a secretive intelligence agency which isn’t subject to intense oversight is going to abuse its powers, inadvertently or not. It’s the lackadaisical response to the problem by both the Conservative and Liberal Parties.

The Conservatives, in power when the issue was first noticed by CSE, actively covered up the fact that there was a problem to begin with. Minister of Defence Rob Nicholson was told about the data breach way back in 2013, and the only reason we’re hearing about it now is that the Liberals decided to finally release CSE’s 2014-15 annual report. Moreover, Nicholson (who couldn’t be reached for comment by such a wide variety of much more prestigious media organizations that I didn’t even bother trying) actively lied to Parliament about the issue:

Nicholson appeared before the House of Commons defence committee in April 2014.

“With respect to metadata and other issues, the commissioner has indicated that the organizations are in complete compliance with Canadian law,’’ Nicholson assured MPs that day.

“Were the commissioner ever to conclude that the agency is acting outside the law, he would be required to report this immediately to the attorney general and to me as the minister responsible for CSE,’’ Nicholson continued, assuring he takes the findings of the commissioner “very seriously.”

Again — at that time the sharing program had been suspended.

This does look awful bad for Rob Nicholson, but somebody who should also be concerned is Jason “#PeopleLikeNenshi” Kenney, who succeeded Nicholson as Minister of Defence and either knew about the data-breach scandal and didn’t act on it or was worse at his job than even I suspected.

Our current Defence Minister, Harjit Sajjan, did his best to be reassuring about the implications of this massive transfer of (meta)data on Canadian citizens to foreign intelligence agencies:

In a statement, Sajjan says the “metadata in question … did not contain names or enough information on its own to identify individuals” and that “taken together with CSE’s suite of privacy protection measures, the privacy impact was low.”

He added: “I am reassured that the commissioner’s findings confirm the metadata errors that CSE identified were unintentional, and am satisfied with CSE’s proactive measures, including suspending the sharing of this information with its partners and informing the Minister of Defence.”

As for the question of how many Canadians were affected by the breach, Sajjan told reporters that he couldn’t answer that question, as digging into the data for an answer would actually constitute a second violation of Canadians’ privacy.

Here’s Sajjan obfuscating like a pro for the reporters:

But here’s the thing – Sajjan’s assertion that the privacy implications are minimal is actually total bullshit. Metadata may not actually contain things like people’s names – unless, I dunno, your email address is youractualname@website.com – but it can actually reveal quite a lot about you, like which locations you frequent and when, or with whom you communicate frequently and by what means. The CIA’s drone assassination program has targeted and killed individuals entirely on the basis of metadata, without knowing their actual identities. (And it’s entirely possible that the metadata in question was provided by CSE through Five Eyes intelligence-sharing.)

Whatever else it may be, metadata is not trivial, and the sharing of metadata concerning Canadian citizens with foreign intelligence agencies constitutes a major privacy breach. And Sajjan, a former police detective and military intelligence officer who was once described as “the best single Canadian intelligence asset in [the Afghanistan war]”, surely knows that this is true. Which means that he’s deliberately feeding the public a bullshit story.

At the end of that CBC clip above, Public Safety Minister Ralph Goodale manages to get himself in front of a microphone and make his opinions known as well. Those who follow security and surveillance issues will know Goodale as the Trudeau government’s point person on C-51 reform, and as I wrote a few weeks ago, he’s been making the government’s plans to create a Parliamentary oversight committee for intelligence agencies a centrepiece of his plan to deal with the controversial law. He used the CSE scandal to once again push that proposal, suggesting that such an oversight committee would be a good corrective to too much secrecy.

And to be fair, he is on to something. CSE, like a few other security and intelligence agencies, essentially polices itself. Others, like CSIS, are currently overseen by a relatively toothless, underfunded, and understaffed committee known as SIRC, which lacks the ability to impose punishment or restrictions on the agencies it oversees and is restricted to examining one agency at a time rather than considering operations in which agencies cooperate holistically. Oversight of Canada’s security and intelligence agencies is in drastic need of an overhaul.

But if the way the two major parties have behaved in reaction to the CSE scandal is any indication, a Parliamentary oversight committee would not be much of an improvement over the status quo.

On the one hand we have the Conservative Party, which actively engaged in a cover-up of the scandal, and on the other hand we have the Liberal Party, which is actively minimizing the scope and seriousness of the scandal.

These would be the very same parties monitoring the behaviour of the intelligence agencies – behind closed doors, naturally.

Under such circumstances, would we have ever even heard about this data breach? Even when it’s speaking to the public, the government of the day doesn’t seem to be overly concerned with getting to the bottom of why it happened, and are completely willing to trust CSE on its own self-accounting of the breach.

This scandal has greatly undercut Parliament’s credibility when it comes to providing meaningful oversight of Canada’s intelligence agencies. And given that the stakes of the information shared by CSE are literally life and death, perhaps a better way forward would be rethinking whether we want to be indiscriminately collecting this kind of information to begin with, or even if we want to be part of an intelligence coalition with such an atrocious human rights record as the Five Eyes does.


If you enjoy The Alfalfafield, please take a minute to like the Facebook page, follow me on Twitter, or subscribe to the RSS feed. You can also contact me by email at matt@thealfalfafield.com.

Got Something To Say:

Your email address will not be published. Required fields are marked *

*

Copyright © 2019. Powered by WordPress & Romangie Theme.