CSEC says it gathers personal information in cyberdefence role
The Communications Security Establishment Canada (CSEC) complex is pictured in Ottawa on October 15, 2013. (Sean Kilpatrick / THE CANADIAN PRESS)
Jim Bronskill, The Canadian Press
Published Wednesday, May 28, 2014 6:30AM EDT
Last Updated Wednesday, May 28, 2014 3:46PM EDT
OTTAWA -- Canada's electronic spy agency says it gathers and sometimes keeps personal information -- including names and email addresses of Canadians -- as part of efforts to protect vital networks from cyberattacks.
Communications Security Establishment Canada maintains an information bank containing the personal information of "potentially any individual" who communicates electronically with a key federal computer network while CSEC is assessing its vulnerability.
Information in the bank -- known as CSEC PPU 007 -- is held for up to 30 years before being transferred to Library and Archives Canada, says a description in the federal Info Source guide, which lists the various categories of personal information held by the government.
"Personal information may be used to assess potential threats to information technology systems subject to the assessment, and to help ensure the security of these electronic systems," the notice says.
The listing sheds light on a little-known aspect of CSEC's work -- threat assessments and technical analyses aimed at strengthening federal defences against foreign cyberattacks on government computers.
The Ottawa-based spy agency has come under intense scrutiny in recent months due to leaks by a former contractor for the National Security Agency, CSEC's American counterpart and close working ally.
CSEC insists it targets only foreign communications -- from email to satellite traffic -- of intelligence interest to Canada. However, the spy service acknowledges it cannot monitor global communications in the modern era without sweeping up at least some Canadian information.
As a result, CSEC's cyberdefence activities are permitted through special authorization of the federal defence minister. Otherwise, they would risk contravening the Criminal Code provision against intercepting the private communications of Canadians.
Records recently obtained under the Access to Information Act say CSEC planned to focus its cyberdefence operations in 2012-13 on its own computer networks and those of three other federal institutions: National Defence, Foreign Affairs and Shared Services Canada, which administers the federal secure communication channel, known as SC Net.
The Info Source listing says personal information collected by CSEC during cyberdefence efforts may include a person's full name, email address, Internet Protocol (IP) address and any incidental personal details contained in electronic routing codes, or metadata.
Information from the databank may be shared with domestic police agencies "or foreign bodies" in keeping with formal agreements, the listing says.
The foreign bodies are surely CSEC's Five Eyes partners -- the U.S. NSA and similar agencies in Britain, Australia and New Zealand, said Wesley Wark, a visiting professor at the University of Ottawa's graduate school of public and international affairs.
Wark called it "remarkable" that information can be held for 30 years.
"What this material does not tell us, of course, is the extent of the personal information held as a result of cybersecurity activities," he noted.
The notes released under Access to Information say that if CSEC intercepts a private Canadian communication under ministerial authorization, "it can only be used or retained if it is deemed essential to international affairs, defence or security."
Information collected during an assessment of a federal agency's computer systems -- including personal data -- is destroyed once the test is complete, or sooner if it is not needed to "identify, isolate or prevent harm" to the network, said CSEC spokesman Ryan Foreman.
In some cases, Foreman indicated, the personal information of a Canadian may be kept if a foreign cyberattacker engages in phishing -- an attempt to compromise a government department's system by sending a carefully crafted email that appears to originate from a known or trusted sender.
In other cases, a known piece of malware might be retained and used to prevent future cyberattacks, he said.
Asked Wednesday if Canadians have anything to fear, Defence Minister Rob Nicholson said CSEC works well.
"There's an independent commissioner who reports every year and has found CSEC is compliant with Canadian law and privacy laws," he said.
Speaking to a group of senators Wednesday, Wark characterized the commissioner's annual reports as insider exercises that tell Canadians little.
He challenged senators to read one of the reports and "make any sense of it."