OTTAWA—Canada’s electronic spy agency says it gathers and sometimes keeps personal information—including names and email addresses of Canadians—as part of efforts to protect vital networks from cyberattacks.
Communications Security Establishment Canada maintains an information bank containing the personal information of “potentially any individual” who communicates electronically with a key federal
computer network while CSEC is assessing its vulnerability.
Information in the bank, known as CSEC PPU 007, is held for up to 30 years before being transferred to Library and Archives Canada, says a description in the federal Info Source guide, which lists the various categories of personal information held by the government.
“Personal information may be used to assess potential threats to information technology systems subject to the assessment, and to help ensure the security of these electronic systems,” the notice says.
The listing sheds light on a little-known aspect of CSEC’s work—threat assessments and technical analyses aimed at strengthening federal defences against foreign cyberattacks on government computers.
The Ottawa-based spy agency has come under intense scrutiny in recent months due to leaks by a former contractor for the National Security Agency, CSEC’s American counterpart and close working ally.
CSEC insists it targets only foreign communications—from email to satellite traffic—of intelligence interest to Canada. However, the spy service acknowledges it cannot monitor global communications in the modern era without sweeping up at least some Canadian information.
As a result, CSEC’s cyberdefence activities are permitted through special authorization of the federal defence minister. Otherwise, they would risk contravening the Criminal Code provision against intercepting the private communications of Canadians.
Records recently obtained under the Access to Information Act say CSEC planned to focus its cyberdefence operations in 2012-13 on its own computer networks and those of three other federal institutions: National Defence, Foreign Affairs, and Shared Services Canada, which administers the federal secure communication channel, known as SC Net.
The Info Source listing says personal information collected by CSEC during cyberdefence efforts may include a person’s full name, email address, Internet Protocol (IP) address and any incidental personal details contained in electronic routing codes, or metadata.
Information from the databank may be shared with domestic police agencies “or foreign bodies” in keeping with formal agreements, the listing says.
The foreign bodies are most likely CSEC’s Five Eyes partners—the U.S. NSA and similar agencies in Britain, Australia and New Zealand, said Wesley Wark, a visiting professor at the University of Ottawa’s graduate school of public and international affairs.
Wark called it “remarkable” that information can be held for 30 years.
“What this material does not tell us, of course, is the extent of the personal information held as a result of cybersecurity activities,” he noted.
Speaking to a group of senators on May 28, Wark characterized the commissioner’s annual reports as insider exercises that tell Canadians little.
He challenged senators to read one of the reports and “make any sense of it.”
With files from Murray Brewster