05/28/2014 04:00 EDT | Updated 07/28/2014 05:59 EDT

CSEC Gathers Canadians' Personal Data In Cyberdefence Efforts


OTTAWA - Canada's electronic spy agency says it gathers and sometimes keeps personal information — including names and email addresses of Canadians — as part of efforts to protect vital networks from cyberattacks.

Communications Security Establishment Canada maintains an information bank containing the personal information of "potentially any individual" who communicates electronically with a key federal computer network while CSEC is assessing its vulnerability.

Information in the bank — known as CSEC PPU 007 — is held for up to 30 years before being transferred to Library and Archives Canada, says a description in the federal Info Source guide, which lists the various categories of personal information held by the government.

"Personal information may be used to assess potential threats to information technology systems subject to the assessment, and to help ensure the security of these electronic systems," the notice says.

The listing sheds light on a little-known aspect of CSEC's work — threat assessments and technical analyses aimed at strengthening federal defences against foreign cyberattacks on government computers.

The Ottawa-based spy agency has come under intense scrutiny in recent months due to leaks by a former contractor for the National Security Agency, CSEC's American counterpart and close working ally.

CSEC insists it targets only foreign communications — from email to satellite traffic — of intelligence interest to Canada. However, the spy service acknowledges it cannot monitor global communications in the modern era without sweeping up at least some Canadian information.

Story continues below

Photo gallery 12 Things Harper Doesn't Want You To Know About Spying On Canadians See Gallery

As a result, CSEC's cyberdefence activities are permitted through special authorization of the defence minister. Otherwise, they would risk contravening the Criminal Code provision against intercepting the private communications of Canadians.

Records recently obtained under the Access to Information Act say CSEC planned to focus its cyberdefence operations in 2012-13 on its own computer networks and those of three other federal institutions: National Defence, Foreign Affairs and Shared Services Canada, which administer the federal secure communication channel, known as SC Net.

The Info Source listing says personal information collected by CSEC during cyberdefence efforts may include a person's full name, email address, Internet Protocol (or IP) address and any incidental personal details contained in electronic routing codes, or metadata.

Information from the data bank may be shared with domestic police agencies "or foreign bodies" in keeping with formal agreements, the listing says.

The foreign bodies are surely CSEC's Five Eyes partners — the U.S. NSA and similar agencies in Britain, Australia and New Zealand, said Wesley Wark, a visiting professor at the University of Ottawa's graduate school of public and international affairs.

It is "remarkable" that information may be held in the data bank for 30 years, Wark added.

"What this material does not tell us, of course, is the extent of the personal information held as a result of cybersecurity activities."

The notes released under Access to Information say that if CSEC intercepts a private Canadian communication under ministerial authorization, "it can only be used or retained if it is deemed essential to international affairs, defence or security."

Information collected during an assessment of a federal agency's computer systems — including personal data — is destroyed once the test is complete, or sooner if it is not needed to "identify, isolate or prevent harm" to the network, said CSEC spokesman Ryan Foreman.

In some cases, the personal information of a Canadian may be kept if a foreign cyberattacker engages in phishing — an attempt to compromise a government department's system by sending a carefully crafted email that appears to originate from a known or trusted sender, Foreman indicated.

In other cases, a known piece of malware might be retained and used to prevent future cyberattacks, he said.

Follow @JimBronskill on Twitter