Federal government mistakenly sent 'sensitive' information to lawyer — and now wants it back in the box
Information was not properly redacted, say court documents
The federal government failed to properly black out sensitive information during a recent Federal Court case — and now it wants that information back under cover.
The incident is raising questions about how well equipped the federal border and immigration departments are to deal with national security cases during the pandemic.
According to a recently filed court document, the government was "unaware that the blacked-out text" in documents released to the applicant's lawyer by the Canada Border Services Agency and Immigration, Refugees and Citizenship Canada "could be lifted to reveal confidential and sensitive information." CBSA also separately released sensitive information that it neglected to redact.
The slip-up is connected to a court case involving Andrea and Attila Kiss. The Roma Hungarian couple said in 2019 they were planning on visiting Andrea's sister, who had been granted asylum in Canada three years earlier. After screening at the Budapest airport, the two were told that Canadian officials had cancelled their electronic travel authorizations (ETAs).
The couple is seeking a judicial review from the Federal Court, arguing that the test used by the federal government to identify whether visitors will remain in Canada beyond their authorized stay is discriminatory.
- From soliciting bribes to abuse of authority, CBSA officers hit with hundreds of misconduct complaints
They say Immigration, Refugees and Citizenship Canada's (IRCC) reliance on what it calls "indicators" — signs officials use to decide whether someone is likely to claim asylum, such as whether they've checked luggage — has adversely affected a large number of Hungarian nationals and Roma travellers.
In the course of that case, the government argued that certain information the Kiss's team was seeking could be injurious to national security and sought a special non-disclosure application under the Immigration and Refugee Protection Act.
Immigration Minister Marco Mendicino asked that portions of the documents revealing the nature of the indicators that informed the officers' decision to cancel the couples' ETAs be redacted — blacked out — arguing that disclosing the information would give those wishing to evade Canadian border officials the means to do so.
In May 2020 the judge approved the minister's request to redact one of the indicators.
Earlier this year he ordered the government to disclose additional documents in the case and about 200 pages of information were sent to the couple's lawyer, Benjamin Perryman, on Feb. 5.
Perryman said he was shocked to realize the government's disclosure included redactions easily lifted using an ordinary PDF reader.
"Not only could they be lifted, but it was for information of which the government claims national security would be injured if it was released in the public realm. I was really taken back," he told CBC News.
"Computers are not new. We are well into the 21st century now and lawyers have been using computers for some time. You always hear stories of access to information, documents not being properly redacted, but you think that's going to be the last time you hear that story."
It turns out both CBSA and IRCC made mistakes when they were redacting the sensitive information.
According to an affidavit from a CBSA manager, staff used a software tool to highlight the sensitive information and then changed the colour of the highlighting from yellow to black.
"When documents of black typeface are black highlighted in this manner, the highlighted information is superficially obscured, although this is not a permanent method for redacting sensitive information," says that affidavit, dated Feb. 16 of this year.
Meanwhile, the IRCC litigation analyst tasked with redacting sensitive files coming from her department said in an affidavit that while she usually applies redactions by hand, she had been working remotely at the time due to the pandemic.
"I used Microsoft Paint to cover personal or sensitive information in the screenshots so the information was not readable," she said in another affidavit, also issued on Feb. 16.
"I was not aware that the information under the black marks I added in [Microsoft] Word could be read once converted to PDF."
After Perryman alerted the court to the faulty redactions on Feb. 5, CBSA staff then went back through the released material and found more information had been shared with him in error.
"Four further pieces of sensitive information contained in the documents were discovered to have been missed in the initial review. This was purely a mistake arising from the speed with which the materials were reviewed," says the CBSA manager's affidavit.
"The disclosure of these pieces of information was inadvertent."
If this was top secret information upon which the security of Canada rested, it would be very alarming that this is the process that CBSA and IRCC are following.- Lawyer Benjamin Perryman
In the end, three types of information were released that the government said should have been kept secret: sensitive information obscured by black highlights but not properly redacted; sensitive information mistakenly overlooked; and irrelevant personal information.
AG seeking an injunction to stop further spread
Now, the Attorney General of Canada is seeking a permanent injunction "restraining the use, dissemination and publication of sensitive information inadvertently transmitted by the respondent in error."
Lawyers representing the Attorney General of Canada attributed the mistake to "a combination of human error and technological issues."
"It is an unfortunate reality that sensitive information is sometimes inadvertently disclosed in the context of litigation. Courts across the country have recognized this reality and taken steps to ensure that a slip on the part of a party does not have far-reaching consequences," they wrote in a submission requesting the injunction.
"This assistance is even more necessary when the slip involves information which would be injurious to national security if released."
Perryman said the error likely won't help his clients and may only delay their case further. He said the breach still raises questions about how both CBSA and IRCC handle information deemed top secret by the federal government.
"It is a snafu only because it doesn't look like this is a legitimate assertion of national security privilege. If this was top secret information upon which the security of Canada rested, it would be very alarming that this is the process that CBSA and IRCC are following," he said.
"That's not acceptable. It should not be swept under the rug and it needs to never happen again."
Christian Leuprecht, a defence and security expert at the Royal Military College and Queen's University, said the error likely was due to a lack of training among public servants when they shifted to working from home.
"Departments were building the plane while flying it," he said.
"Even though it has national security implications, it looks like employees appear to have been left to fend for themselves — 'We don't have time and money for training, so just do your best.'
"Well, the 'best' has resulted in massive effort to remedy a mistake that could readily have been avoided."
CBSA, IRCC offering more training
CBSA spokesperson Louis-Carl Brissette Lesage said employees have been reminded recently of how to handle sensitive information and the potential impacts of releasing it.
"The information was inadvertently released as a result of human error and the challenges of submitting documents electronically in the current pandemic, and was immediately brought to the Court's attention," he said in a statement.
"Lessons learned from this event will help to prevent similar situations in the future."
IRCC said it is also reminding its employees of the proper steps to take.
"The government of Canada takes privacy and security issues very seriously," said IRCC spokesperson Isabelle Dubois.
"Processes in relation to the transmission of court documents and for the protection of privacy and sensitive information are in place and will be reiterated to all employees in order to prevent any further reoccurrence."
The Attorney General's office is also seeking a list of the individuals who received the information.
In his Feb. 5 letter to the court alerting them to the faulty redactions, Perryman also wrote that before he realized the redactions were easily readable, he sent the documents to Gábor Lukács, an air passenger rights advocate.
Lukács then passed along the documents to a third party in Hungary and to another lawyer in Canada.
According to court documents, Lukács said he has since destroyed the information but has never identified the lawyer to whom he sent the information.
"It is unknown whether they have destroyed the copy received, along with any copies, notes, summaries or other derivative products... It is also unknown whether they have further transmitted the information and, if so, to whom," wrote the government in its motion request.
Lukács said he'll file a response in the coming days. He's arguing the government's request prohibiting him from commenting on the redactions interferes with his freedom of speech, while identifying his lawyer would interfere with his solicitor-client privilege.
"When the state seeks such highly invasive remedies against a Canadian citizen, it may be a threat to civil liberties," he said.