How an Illegal Canadian Spy Program Sailed Through Regulatory Checks
The system failed.
A federal court alerted Canadians to the existence of a secret metadata analysis program last year when it ruled that the program's retention of thousands of innocent people's data was illegal. The question on everyone's mind then was: Who knew about it?
In its ruling on the Operational Data Analysis Centre (ODAC), the federal court also concluded that the Canadian Security Intelligence Service (CSIS)—the country's domestic CIA analogue—had breached its duty of candour by not fully briefing the court on the program until forced. Former ministers clamored to avoid blame for approving the program or being aware of it, and CSIS halted its metadata analysis.
But privacy regulators were aware of the program, documents show, and CSIS even went through the proper privacy checks and balances. Rules that are ostensibly in place to ensure that government programs don't breach Canadian privacy laws did nothing to stop the security agency's illegal activity.
CSIS created a Privacy Impact Assessment, or PIA, for the metadata centre in 2010. The 64-page document, reported on by the Canadian Press on Monday and obtained by VICE News correspondent Justin Ling via an access to information request, shows how these mandatory measures were little more than a bureaucratic check-box for CSIS. All government agencies are asked to prepare PIAs for new programs and submit them to the Office of the Privacy Commissioner (OPC).
"Whoever did the report has fully drunk the Kool-Aid"
In response to one question in the assessment that asked, "Is all the personal information collected necessary to the operating program or activity?" CSIS simply responded, "Yes." The retention of unnecessary metadata is exactly what the federal court ruled to be illegal last year. CSIS is required by law to only retain data that it deems "strictly necessary" to an investigation.
"Whoever did the report has fully drunk the Kool-Aid," said David Fraser, a digital privacy lawyer at law firm McInnes Cooper, in a phone interview. "It's not at all surprising that a magic wand was waved over it so that it's designated as kosher before the federal court described it as unlawful. They believed that what they were doing was legal."
In a call with journalists after the federal court ruling on the metadata analysis program, Chief General Counsel for the Department of Justice Robert Frater stated that, "We believed we had the authority. Was it set out specifically? No, it wasn't."
An OPC spokesperson confirmed to Motherboard that CSIS provided the office with the privacy assessment, but could not provide further detail due to the fact that the file contains classified information.
"Generally speaking, PIAs are submitted to us and we can make comments and recommendations based on the government institution's analysis of the privacy risks of a given initiative, activity or program," the spokesperson wrote in an emailed statement. "The OPC, however, does not approve those initiatives, programs or activities."
The constrained role of the OPC when it comes to law enforcement has long been a point of concern. While it's a mandatory policy that all government agencies prepare PIAs and alert the OPC to new programs, it's not a law.
I asked Privacy Commissioner Daniel Therrien about this in an interview last year, and he said, "We can only advise on issues that we're informed on. [...] Currently, it's under a policy that this is done, and often we see that the policy is not necessarily respected."
In the case of CSIS' illegal retention of citizens' metadata, we've seen how this good-faith system can fail even when an agency files a privacy assessment, if that agency isn't forthcoming with officials.
"A PIA is only effective if the organization conducting it engages honestly and thoughtfully in the process," Brenda McPhail, director of the Canadian Civil Liberties Association's surveillance project, wrote me in an email. "If CSIS had done the PIA assessment in the way it should have been done, it should have emerged in their own analysis that the program they proposed, including the collection and storage of information on individuals not under investigation, was unlawful."
The blame for severe breaches of Canadian privacy law shouldn't lie with the OPC, even though they were presented with a Privacy Impact Assessment on the illegal program, said Fraser.
"I would be surprised if CSIS opened its toga to the OPC to give it all the information it needed to make a real assessment," he said. "It leads to the conclusion that the system we have, whatever it is, doesn't work."
Get six of our favorite Motherboard stories every day by signing up for our newsletter .