The Canadian Security Intelligence Service (CSIS), the country's CIA equivalent, used large datasets to track and identify persons of interest without a policy to guide their collection, retention, or use, according to a new report from Canada's intelligence watchdog.
CSIS is tasked with tracking terror suspects within and outside of Canada, and the investigation was undertaken in the context of new, and incredibly broad, powers bestowed upon the spy agency by the controversial Bill C-51.
Canada has recently ramped up its efforts to identify people connected to pro-terror ideologies. In August, the Royal Canadian Mounted Police (RCMP) arrested 24-year-old Ottawa man Tevis Gonyou-McLean who was later released on a peace bond that restricts his movement, communication, and online activities. The RCMP's national security unit frequently receives intelligence from CSIS.
A report published on Thursday by the civilian Security Intelligence Review Committee (SIRC) notes that CSIS uses large databases to find out more information about suspects, develop leads, and even to "identify previously unknown individuals of interest by linking together types of information which have mirrored threat behaviour."
According the SIRC report, CSIS had "no comprehensive governance framework guiding the collection, retention and use of bulk datasets." The investigation, which began last year, recommended that CSIS have a policy in place by February of 2016, and CSIS suspended bulk data collection upon SIRC's recommendation until a policy could be implemented.
The Communications Security Establishment, CSIS' sister organization and Canada's answer to the NSA in the US, stopped sharing metadata with foreign spying partners under similar circumstances last year when an internal review concluded that the agency had handled data improperly.
The report suggests that CSIS employed overly generous interpretations of the law in order to collect more data than it was supposed to
The new report also suggests that CSIS employed overly generous interpretations of the law in order to collect more data than it was supposed to.
So-called "referential" datasets—defined by CSIS as already being publicly available, such as a phone book—are not considered to be "collected" by the agency under the CSIS Act, and thus do not need to meet the legal threshold of being "strictly necessary" for a particular investigation.
However, the watchdog "found instances where [it] felt the criteria for inclusion in the 'referential' category—data that is publicly available and openly sourced—were not met." Indeed, SIRC "found no evidence to indicate that CSIS had appropriately considered the threshold."
In other words, CSIS collected large datasets that the watchdog considered to be more invasive than, say, a phone book or a map, but was miscategorizing them and in the process bypassed legal safeguards governing sensitive data.
CSIS has not responded to Motherboard's request asking for clarification on what types of datasets would be considered referential and non-referential.
As a remedy, SIRC recommended that before engaging in bulk data collection, "a clear connection to a threat to the security of Canada" must be established, alternatives to bulk data collection must be considered, and an assessment of how likely the bulk data collection is to produce intelligence of value must be undertaken.
Overall, however, the watchdog was bullish on CSIS' use of its new powers despite these failures on the part of the spy agency.