'Difficult to determine' scope of privacy breach in Five Eyes data sharing

It's impossible to know how many Canadians had their personal data shared by the country's electronic spy agency in a metadata glitch, according to its watchdog.

Lack of information about metadata sharing 'unconscionable' and 'irresponsible,' privacy advocate says

CSE commissioner Jean-Pierre Plouffe told senators Monday that because the data's now erased, it may be impossible to determine the scope of a privacy breach that saw Canadians' information shared with intelligence partners abroad. (Adrian Wyld/Canadian Press)

It's impossible to know how many Canadians had their personal data shared by the country's electronic spy agency in a metadata glitch, according to its watchdog.

Jean-Pierre Plouffe, commissioner of the Communications Security Establishment (CSE), told a Senate committee Monday that data were erased from the agency's system, making it difficult to find out the number of people impacted.

"It is impossible to know the exact figure. After a certain amount of time, data disappears. They have a deadline after which system data is deleted."

A month ago, Plouffe tabled his annual report in the House of Commons, revealing for the first time that CSE illegally and unintentionally shared metadata with Canada's Five Eyes intelligence allies: the United States, United Kingdom, Australia and New Zealand.

That data may include Canadians' personal information, including phone numbers or email addresses, but not the content of emails or recordings of phone calls.

"It's not accidental," Plouffe said in an interview about the CSE breaking the law. "It's because of a lack of due diligence."

Metadata is information associated with communication that is used to identify, describe or route information. CSE is supposed to monitor only foreign communications for intelligence that may be of interest to Canada.

If the spy agency comes across Canadians' information, the law requires it to delete the data from its systems.

No idea how long problem lasted

The commissioner said CSE disclosed the metadata glitch as it prepared its 2014 annual report.

"When they discovered it, they didn't know for how long the problem existed," said Plouffe, who still doesn't know if the glitch lasted months or years.

When Conservative Senator Claude Carignan asked "How many Canadians were affected by this error?" the commissioner could not answer. 

Plouffe explained that the spy agency intercepts millions of pieces of metadata each year. But it erases data after a certain deadline to make room in the system.

"It is very difficult to determine the number of Canadians affected," said Plouffe.

'First CSE non-compliance'

This is the first time the commissioner has said his office has ever discovered a non-compliance issue with CSE.

Plouffe says even if Canada's intelligence allies did receive some Canadian information, theoretically they should not act upon it, according to the policy.

All of the Five Eyes partners' data is stored in Washington. Plouffe checked with the U.S. National Security Agency in January 2015 and was told it wasn't aware of any Canadian's personal information being compromised.

However, Canada has stopped sharing certain metadata with international partners. Defence Minister Harjit Sajjan said last month that sharing won't resume until he's satisfied that the proper protections are in place.

Unacceptable 'from A to Z'

Ontario's former privacy commissioner, Ann Cavoukian, says CSE never should have collected the metadata in the first place and wants the practice to end.

"It has been illegally collected," said Cavoukian. "It's unscrupulous they're doing this...The whole thing from A to Z is unacceptable."

Cavoukian questions how it's possible that the metadata isn't tracked.

"I just think it's unconscionable that they have no idea how much metadata has been collected, where it is and they're saying now it's all deleted. That's irresponsible."

In an email, a communications adviser said the federal privacy commissioner's office is in discussions with CSE and can't comment further at this time.

"We wanted to follow up to seek further clarity on the issues raised in the report, including how much personal information of Canadians was involved and what ultimately happened to the information, and whether appropriate protective measures were taken," wrote spokeswoman Tobi Cohen.