Canada's digital spying watchdog announced today that the Communications Security Establishment, Canada's version of the United States' NSA, sent Canadians' data to international spy agencies without properly scrubbing it of potentially identifying information.
As a result, the agency has elected to stop sharing some metadata (it's not clear what kind) with its partners in the Five Eyes surveillance regime—which includes the US, the UK, Australia, and New Zealand—until the issue can be corrected. For years, CSE has shared this kind of information with its partners in surveilling the global internet.
The bombshell announcement was part of CSE Commissioner Jean Pierre Plouffe's annual report. Plouffe reports that CSE discovered on its own that Canadians' metadata—information about their online communications, but not their contents—was not being "minimized" properly before being sent to its partners. Plouffe notes that "minimization" is the process by which metadata is made unattributable to individuals. Another common term for this process is "anonymization." "This review revealed that CSE's system for minimizing certain types of metadata was decentralized and lacked appropriate control and prioritization," Plouffe wrote in his report. "CSE also lacked a proper record-keeping process." Plouffe noted that the failures were likely unintentional.
"In a couple years, the NSA may have a new capability that allows them to match up more information, and they'll still have the data we gave them today"
In a statement, Defence Minister Harjit Sajjan said that the metadata provided "did not contain names or enough information on its own to identify individuals" and that "the privacy impact was low."
Metadata is a pernicious thing, however. Even when measures to "minimize" metadata are taken, it may still be used to identify people. When one point of anonymized metadata is linked with information in other databases—like, say, those maintained by the NSA and GCHQ—its identifying power becomes even stronger. When minimization isn't undertaken at all, then metadata is, flatly, not anonymous.
"You can do so much with metadata before attaching a name to it, and so much harm can be done before you attach a name to it," said Tamir Israel, a privacy lawyer with the Canadian Internet Policy and Public Interest Clinic. "It's increasingly easier to connect people's information without their names. In a couple years, the NSA may have a new capability that allows them to match up more information, and they'll still have the data we gave them today."
Underscoring how problematic metadata can be, leaked documents on the US's drone program in Somalia and Yemen revealed last year that the US government makes kill decisions based on metadata.
Americans live with the reality that their metadata is being legally collected by their government's security agencies. In Canada, things are a little different—the CSE is legally obligated not to direct its metadata collection activities at Canadians. Instead, metadata collection is meant to collect intelligence on the internet and actors outside Canada's borders.
Now that Canada's surveillance partners apparently have data on Canadians that they shouldn't, CSE's recourse appears limited. Beyond turning off one part of the data firehose, Plouffe writes that Five Eyes partners should stick to their agreement not to target each other's communications.
"CSE trusts that its Five Eyes partners will follow the general statements in the agreements signed among partners," Plouffe wrote, "and not direct activities at Canadians or persons in Canada."