Privacy watchdog urges Ottawa to pass ‘metadata’ legislation

Share

Canada's privacy czar is calling on the Liberals to fulfill a promise to pass laws constraining the federal spies who are allowed to capture records of Canadians' phone and Internet activities.

The Communications Security Establishment needs new legislation because it has not been careful enough in handling such material, says Daniel Therrien, the Privacy Commissioner of Canada. "The National Defence Act should be amended," he said in an interview. "I would want some clarity around the standards used to collect and share 'metadata.' Right now, the act is completely silent on this."

"Metadata" is the name federal officials give to phone logs, Internet exchanges and similar activity that spy agencies can electronically intercept in bulk. The substance of the underlying communications and the identities of communicators are not known.

CSE has been tasked with providing intelligence about foreigners to the Canadian cabinet since the 1940s. Mr. Therrien's call for new laws for CSE was formally made in his office's annual report on Tuesday. While the Liberals are not obliged to implement his findings, they promised new CSE laws on the campaign trail last year.

Canadian police officers who want access to an individual's phone records must get a judge to sign a warrant. CSE's technological analysts, which work with Canada's closest allies to capture and share communication trails of as many people as possible, operate without warrants and largely through secret edicts signed by the minister of national defence.

A once-classified "metadata ministerial directive" from the Liberal government of 2005 first told CSE it can capture and share as many phone and Internet logs as it can, so long as it does not go after Canadians specifically. Should such metadata turn up in the wider trawl, the minster tells the spy agency to scrub out any known "Canadian identifying information" before sharing with allies.

During the 2015 campaign, the Liberals suggested they would like judges rather than ministers to make these decisions. The party has said almost nothing about constraining CSE since, but a spokeswoman for Defence Minister Harjit Sajjan told The Globe on Tuesday the government still hopes to introduce a law.

Problems with CSE metadata programs were revealed to the public earlier this year by the spy agency's watchdog, who reviews operations.

Jean-Pierre Plouffe, who is also calling for new laws for the spy agency, unveiled records showing the CSE bought privacy-protecting software that failed. Specifically, it did not remove identifiably Canadian phone logs and Internet Protocol exchanges. So for years, potentially vast amounts of such material was shared in almost its raw form with allied agencies.

Mr. Sajjan played down the privacy implications, telling reporters the members of the intelligence partnership known as the Five Eyes – agencies in the United States, Britain, Australia, Canada and New Zealand –undertake to protect the privacy of one another's citizens, and not merely their own.

The privacy commissioner says such remarks cannot be taken at face value. "The privacy risk was minimized, downplayed."

Mr. Therrien said in the interview that the only reason spy agencies such as CSE collect metadata is that it is so very revealing. And he added that no Five Eyes "gentlemen's agreement" overrides anyone's national interest.

When asked what kinds of worst-case scenarios could emerge from all this, Mr. Therrien cited the case of a Canadian software engineer once famously caught in the U.S. Central Intelligence Agency's crosshairs.

In 2001, Canadian officials wrongly red-flagged Maher Arar as a terrorist threat. He was arrested in a New York airport and flown on a CIA-leased jet to the Middle East and spent the next year jailed in his native Syria.

"We only need to think about Arar," Mr. Therrien said, adding that the Syrian-Canadian was tortured. "Arar is a real-life example of where information was shared to a third state. That is the worst-case scenario."