CSIS did a bad, bad thing.
The Canadian Security Intelligence Service, better known as CSIS, has found itself in trouble with the legal system once again after a federal court discovered the existence of an "illegal" database full of information on Canadians, held at a secret data centre.
The information came to light in a federal court judgement, released Thursday, that takes aim at the previously-unknown Operational Data Analysis Centre and a program whereby CSIS was storing large amounts of data that had nothing to do with its investigations.
The judgement is heavily redacted so it is difficult to determine the exact nature of the investigation, the warrants, or the data collected.
But Justice Simon Noël is unequivocal: "this retention of associated data is illegal."
His ruling outlines how the collection of the data, its storage, and the data centre itself were all part of a large program that CSIS kept under wraps.
Over the course of a normal investigation, CSIS may obtain information, intelligence, and data pertaining to an individual. The agency has the power to run through that information to determine if the person is a national security threat, relevant to an investigation, or has something to do with international affairs.
If that data—such as an email between two law-abiding individuals—isn't useful in any of those respects, CSIS is required to delete it.
Except, according to Justice Noël's ruling, that's not exactly what they were doing.
While CSIS was deleting the data, they were saving and storing the metadata from the information, but renaming it "associated data," mostly in an effort to skirt rules around data collection, and keeping it for as long as they want. This data, the court adds, was "non-threat, third-party information."
The information would be stored in the secretive Operational Data Analysis Centre, whose purpose is to "retain all data collected from investigations and warrants in order to exploit that information in ongoing and future investigations."
Metadata could include everything from your phone number and email address to your search history and GPS location.
This is big data analysis is the job of CSIS' signals intelligence sister, the Communication Security Establishment, but not in CSIS itself.
There has been virtually no reporting on the Operation Data Analysis Centre since its inception in 2006. The only online mentions of the centre come from a now-deleted job post on the CSIS website, and a LinkedIn page for a former manager of the centre.
The LinkedIn page refers to it as "the CSIS centre of excellence for big data exploitation."
"The end product [of this program] is intelligence which reveals specific, intimate details on the life and environment of the persons the CSIS investigates," Noël writes. "The program is capable of drawing links between various sources and enormous amounts of data that no human being would be capable of..." the rest is redacted.
Later in his ruling, Noël underscores that this data had active uses, writing that "evidence was produced establishing that the processing and analysis of associated data has yielded some useful intelligence results. In some cases, analysis of retained data in past cases indeed contributed to new investigative leads and other useful pertinent information."
That's the process that Noël said was illegal.
The ruling added that information was still scant on the entire program, and that even the court remained in the dark about aspects of the surveillance activities.
"The court, during the hearings, learned that the program had been existence since 2006 yet it had never heard nor seen any evidence on the matter prior to the recent hearings," Noël writes.
CSIS informed the Public Safety Minister but never told the court. They kept it secret until 2011, when a lawyer for the agency made an "indirect allusion" to the data centre.
The judge concluded that "CSIS had an elevated obligation to inform the Court of the use it was making of non-threat-related information collected through the operation of warrants; it failed to do so."
The only official reference to the centre comes from a 2010 CSIS report which reads that the "Operational Data Analysis Centre (ODAC) provides support to the Service's operational branches by performing advanced analysis of data that is collected on subjects of investigation."
There is still much fog around exactly how CSIS goes about collecting digital information, as it does have legal authority to intercept and monitor communications—usually with a warrant—and can cooperate and deputize Canada's main signals intelligence agency, the Communication Security Establishment (CSE), to do bulk data collection.
This ruling adds context to documents obtained under access to information laws by VICE News in 2015. In those documents, which contain memoranda of understanding between CSIS and CSE, there is a 2007 agreement between the two agencies that "provide[s] for the disclosure and safeguarding of information shared between the parties." That agreement sets out a host of conditions for how to share and store information, data, and intelligence.
This isn't the first time that CSIS has gotten in trouble for pulling the wool over the court's eyes. In 2013, another federal court judge chided CSIS' efforts to get around its own domestic mandate by contracting out to CSE and the American NSA to conduct foreign surveillance. That problem was resolved after the federal government authorized international CSIS operations.
Photo via CP.
Follow Justin Ling on Twitter.