Canada’s cyber surveillance agency breached policy and mistakenly spied on an unwitting Canadian citizen for five years, according to a new watchdog report.The Communications Security Establishment started surveilling a person who turned out to be a foreign national in 2010, but didn’t stop when the person was deemed a potential Canadian the same year.It is illegal for the CSE to knowingly target Canadians living at home and abroad, and while it’s not against the law to target “potential Canadians,” the CSE does its best to protect them, the report says.
Despite flagging the person for suspected ties to the country, monitoring continued for five years—until a “second party” reported the policy breach in 2018, the report says.Canada is part of the Five Eyes intelligence alliance, which facilitates collaboration between spy services from the United States, Britain, Australia, and New Zealand. That means the second party who caught the CSE’s blunder was likely a non-Canadian source.“What’s noteworthy is that it was one of our allies who tracked this down,” said Christopher Parsons, a lead researcher with The Citizen Lab who specializes in global security.
“CSE was not only involved in targeting an individual who turned out to be a Canadian, but they didn’t catch the error," Parsons said, adding, “We were sharing information about a potential Canadian—turns out an actual Canadian—with our allies.”The person in question could have been targeted for a number of reasons, including concerns around money laundering, terrorism, or for being a perceived foreign dignitary.The problem, Parsons said, is that Canadians can be targeted without their consent, and the information can be shared with other parties.CSE commissioner Jean-Pierre Plouffe acts as a watchdog, ensuring the CSE complies with Canadian law. He investigated the incident and produced the report.According to Plouffe, the CSE followed the law and, thanks to new policies and practices that will better safeguard the privacy of Canadians, the risk of a similar incident occurring is low.
When asked if the individual who was mistakenly targeted was notified, CSE spokesperson Ryan Foreman said he is unable to offer any additional details.“The commissioner was satisfied that the situation was fully mitigated, and that CSE properly applied measures and updated processes to prevent re-occurrence,” Foreman said.But Parsons said he won’t be surprised if CSE makes more mistakes in the future.“The case is involved in the collection of large volumes of data. Quite often, there is an imprecision in targeting,” Parsons said. “What findings like this showcase is when you’re engaged as a country in mass surveillance and targeted surveillance, you’ll routinely make errors.”“That should be very concerning given that we have given them a much broader set of powers,” he added.Canada’s security establishment has a track record of convenient oversights that have threatened the privacy and security of Canadians. In 2017, a federal court order revealed the existence of a metadata analysis program that illegally stored data from thousands of people. The court found that the Canadian Security Intelligence Service failed to disclose information about the program until forced.Follow Anya Zoledziowski on Twitter.