Politics

CSIS saw 'no high privacy risks' with metadata crunching: internal report

The national spy service saw little risk to the personal privacy of Canadians in a evaluation of its secret data-crunching centre, which kept information about Canadians' communications, newly released documents show.

Program to collect and analyze information about Canadians' communications condemned by judge last year

A Canadian Security Intelligence Service sign in pictured on a sunny day.
An internal assessment in 2010 found only "low-risk" concerns about Canadians' privacy related to a secret data collection program inside CSIS. A judge last year ruled the program to retain and analyze communications metadata violated the law. (Sean Kilpatrick/The Canadian Press)

The national spy service saw little risk to the personal privacy of Canadians in a self-penned evaluation of its secret data-crunching centre — a shadowy program now at the centre of intense controversy, newly released documents show.

The Canadian Security Intelligence Service centre touched off a firestorm late last year when a judge said CSIS had broken the law by keeping and analyzing the digital metadata of innocent people.

The ruling also prompted debate about what future role the spy service should have — if any — in using such potentially revealing information in its work.

But a privacy impact assessment of the Operational Data Analysis Centre prepared in August 2010 — and secret until now — offered little hint of such concerns.

"The assessment process has identified no high privacy risks," says the 62-page CSIS report.

It highlighted six "low risk" issues of "lesser magnitude" concerning the use, accuracy, retention, disposal and safeguarding of personal information.

Federal agencies are supposed to carry out such assessments when introducing a program with possible privacy implications.

The Canadian Press obtained a heavily censored version of the classified CSIS document through an Access to Information request.

Metadata kept illegally: Judge

In November, Federal Court Justice Simon Noel said CSIS violated the law by keeping electronic data about people who were not actually under investigation. His pointed ruling said the spy service should not have kept the information because it was not directly related to threats to the security of Canada.

CSIS Director Michel Coulombe testified last year that the metadata was collected legally, but the agency would comply with the judge's ruling. What to do with a decade of metadata is now under review. (Adrian Wyld/Canadian Press)

The privacy impact assessment drafted years earlier said CSIS would manage the "low" risks related to use and retention of the data by following established standards and procedures.

CSIS processed the information — known as metadata — beginning in 2006 through its analysis centre to identify patterns of movement, communication, behaviours, significant trends and links that are otherwise not discernable.

Metadata is information associated with a communication, such as a telephone number or email address, but not the message itself.

The office of federal privacy commissioner Daniel Therrien says metadata must be handled with care because it can reveal medical conditions, religious beliefs and sexual orientation, among other personal traits.

Privacy watchdogs from across the country recently said Canada's spy agencies should destroy the data trails of innocent people they collect incidentally during terrorism investigations, once the actual targets have been cleared of suspicion.

National security policy under review

Noel's court ruling meant metadata could be kept and used by CSIS only if the information was related to a specific threat to Canadian security or if it was of use to an investigation, prosecution, national defence or foreign affairs.

However, the matter is under review as part of a broad federal examination of national security policy.

Public Safety Minister Ralph Goodale, the cabinet member responsible for CSIS, told MPs at a House of Commons committee in December he was weighing views on whether CSIS should be allowed to retain and use such information.

Minister of Public Safety Ralph Goodale is reviewing the handling of metadata as part of a broader look at Canada's national security policy. (Michelle Siu/Canadian Press)

CSIS director Michel Coulombe testified that he hoped the spy service would be in a position within about six months to decide what to do with the associated metadata collected over the 10-year period.

The 2010 privacy impact assessment said that while CSIS believes in openness and transparency, due to the "extreme sensitivity" of the data analysis centre's work, "it is not possible to communicate about that work to the public."

The assessment said it was a "snapshot in time and scope" of the analysis centre's "capacity building phase."

Technology has continued to advance in the last seven years, but not in a way that suggests the "low" risk would have been elevated, said CSIS spokeswoman Tahera Mufti.

The spy service has not updated the privacy assessment. However, it will do so in light of the data analysis centre's evolution and the court proceedings, Mufti added.

"The exploitation of data remains a key capability that enhances CSIS' ability to effectively investigate threats to the security of Canada," she said.