The Communications Security Establishment, Canada's electronic spy agency, has stopped sharing certain metadata with international partners after discovering it had not been sufficiently protecting that information before passing it on.
Defence Minister Harjit Sajjan says the sharing won't resume until he is satisfied that the proper protections are in place. Metadata is information that describes other data, such as an email address or telephone number, but not the content of a given email or recording of a phone call.
The issue is disclosed in the annual report of CSE commissioner Jean Pierre Plouffe, which was tabled in the House of Commons Thursday morning.
- CSIS obtained confidential taxpayer data without warrants
- CSE worried about use of Canadian metadata
- CSEC's collection of metadata shows ability to 'track everyone'
- CSEC used airport Wi-Fi to track Canadian travellers: Snowden docs
"While I was conducting this current comprehensive review, CSE discovered on its own that certain metadata was not being minimized properly," Plouffe explained in the report.
"Minimization is the process by which Canadian identity information contained in metadata is rendered unidentifiable prior to being shared …."
"The fact that CSE did not properly minimize Canadian identity information contained in certain metadata prior to being shared was contrary to the ministerial directive, and to CSE's operational policy."
Canada's Five Eyes partners, with which data is sometimes shared, are the United States, Australia, New Zealand and the United Kingdom.
The report also noted that "the metadata ministerial directive lacks clarity regarding the sharing of certain types of metadata with Five Eyes partners, as well as other aspects of CSE's metadata activities."
Plouffe goes on to say that the ministerial directive is unclear about key aspects of how CSE collects,uses and discloses metadata, and does not provide clear guidance for how CSE's metadata activities are undertaken, recommending the agency ask for a new directive to provide better guidance.
In a statement, Sajjan says the "metadata in question … did not contain names or enough information on its own to identify individuals" and that "taken together with CSE's suite of privacy protection measures, the privacy impact was low."
He added: "I am reassured that the commissioner's findings confirm the metadata errors that CSE identified were unintentional, and am satisfied with CSE's proactive measures, including suspending the sharing of this information with its partners and informing the Minister of Defence."
Sajjan said CSE won't resume sharing this information with Canada's partners until he is fully satisfied the effective systems and measures are in place."
Speaking to reporters on Parliament Hill, Sajjan did not specify what sort of metadata had been shared and said officials could not review the data to determine how many people might have been impacted without violating privacy laws.
Appearing alongside Sajjan, Public Safety Minister Ralph Goodale noted that the federal government is in the process of reviewing its security intelligence operations and is committed to introducing new parliamentary oversight of intelligence agencies.