Accessibility/Mobile Features
Skip Navigation
Skip to Content
Editorial News
Classified Sites

The Canadian Press - ONLINE EDITION

Electronic spy agency gathers personal information in cyberdefence role

The new Communications Security Establishment Canada (CSEC) complex is pictured in Ottawa on October 15, 2013.THE CANADIAN PRESS/Sean Kilpatrick

Enlarge Image

The new Communications Security Establishment Canada (CSEC) complex is pictured in Ottawa on October 15, 2013.THE CANADIAN PRESS/Sean Kilpatrick

OTTAWA - Canada's electronic spy agency says it gathers and sometimes keeps personal information — including names and email addresses of Canadians — as part of efforts to protect vital networks from cyberattacks.

Communications Security Establishment Canada maintains an information bank containing the personal information of "potentially any individual" who communicates electronically with a key federal computer network while CSEC is assessing its vulnerability.

Information in the bank — known as CSEC PPU 007 — is held for up to 30 years before being transferred to Library and Archives Canada, says a description in the federal Info Source guide, which lists the various categories of personal information held by the government.

"Personal information may be used to assess potential threats to information technology systems subject to the assessment, and to help ensure the security of these electronic systems," the notice says.

The listing sheds light on a little-known aspect of CSEC's work — threat assessments and technical analyses aimed at strengthening federal defences against foreign cyberattacks on government computers.

The Ottawa-based spy agency has come under intense scrutiny in recent months due to leaks by a former contractor for the National Security Agency, CSEC's American counterpart and close working ally.

CSEC insists it targets only foreign communications — from email to satellite traffic — of intelligence interest to Canada. However, the spy service acknowledges it cannot monitor global communications in the modern era without sweeping up at least some Canadian information.

As a result, CSEC's cyberdefence activities are permitted through special authorization of the federal defence minister. Otherwise, they would risk contravening the Criminal Code provision against intercepting the private communications of Canadians.

Records recently obtained under the Access to Information Act say CSEC planned to focus its cyberdefence operations in 2012-13 on its own computer networks and those of three other federal institutions: National Defence, Foreign Affairs and Shared Services Canada, which administers the federal secure communication channel, known as SC Net.

The Info Source listing says personal information collected by CSEC during cyberdefence efforts may include a person's full name, email address, Internet Protocol (IP) address and any incidental personal details contained in electronic routing codes, or metadata.

Information from the databank may be shared with domestic police agencies "or foreign bodies" in keeping with formal agreements, the listing says.

The foreign bodies are surely CSEC's Five Eyes partners — the U.S. NSA and similar agencies in Britain, Australia and New Zealand, said Wesley Wark, a visiting professor at the University of Ottawa's graduate school of public and international affairs.

Wark called it "remarkable" that information can be held for 30 years.

"What this material does not tell us, of course, is the extent of the personal information held as a result of cybersecurity activities," he noted.

The notes released under Access to Information say that if CSEC intercepts a private Canadian communication under ministerial authorization, "it can only be used or retained if it is deemed essential to international affairs, defence or security."

Information collected during an assessment of a federal agency's computer systems — including personal data — is destroyed once the test is complete, or sooner if it is not needed to "identify, isolate or prevent harm" to the network, said CSEC spokesman Ryan Foreman.

In some cases, Foreman indicated, the personal information of a Canadian may be kept if a foreign cyberattacker engages in phishing — an attempt to compromise a government department's system by sending a carefully crafted email that appears to originate from a known or trusted sender.

In other cases, a known piece of malware might be retained and used to prevent future cyberattacks, he said.

Asked Wednesday if Canadians have anything to fear, Defence Minister Rob Nicholson said CSEC works well.

"There's an independent commissioner who reports every year and has found CSEC is compliant with Canadian law and privacy laws," he said.

Speaking to a group of senators Wednesday, Wark characterized the commissioner's annual reports as insider exercises that tell Canadians little.

He challenged senators to read one of the reports and "make any sense of it."

— With files from Murray Brewster

Follow @JimBronskill on Twitter

  • Rate this Rate This Star Icon
  • This article has not yet been rated.
  • We want you to tell us what you think of our articles. If the story moves you, compels you to act or tells you something you didn’t know, mark it high. If you thought it was well written, do the same. If it doesn’t meet your standards, mark it accordingly.

    You can also register and/or login to the site and join the conversation by leaving a comment.

    Rate it yourself by rolling over the stars and clicking when you reach your desired rating. We want you to tell us what you think of our articles. If the story moves you, compels you to act or tells you something you didn’t know, mark it high.

Sort by: Newest to Oldest | Oldest to Newest | Most Popular 0 Commentscomment icon

You can comment on most stories on brandonsun.com. You can also agree or disagree with other comments. All you need to do is register and/or login and you can join the conversation and give your feedback.

There are no comments at the moment. Be the first to post a comment below.

Post Your Commentcomment icon

Comment
  • You have characters left

The Brandon Sun does not necessarily endorse any of the views posted. Comments are moderated before publication. By submitting your comment, you agree to our Terms and Conditions. New to commenting? Check out our Frequently Asked Questions.

letters

Make text: Larger | Smaller

Brandon Sun Business Directory
Sudden Surge: Flood of 2014
Opportunity Magazine — The Bakken
Why Not Minot?
Welcome to Winnipeg

Social Media