One of Canada’s intelligence agencies says that “incorrectly” shared information about Canadians who had “incidentally” obtained with international partners.
The communications security establishment (CSE) shared some details about the incident after the Intelligence Commissioner, the quasi -audicial position that reviews the activities of the Cyber Spite Agency, marked the case in its annual report presented in the Parliament earlier this week.
CSE spokesman, Janny Bender Asselin, told CBC News that last year the agency had to notify the Minister of Defense “an incident where CSE shared incorrect information.”
“CSE identified an activity in which, between 2020 and 2023, we share certain information with international partners without properly eliminating the Canadian information that had acquired incidentally by attacking valid foreign intelligence objectives,” he said.
“CSE acted quickly to contain the problem.”
The CSE is considered one of the jewels of the Canadian intelligence crown, responsible for intercepting and analyzing foreign electronic communications, launching cybernetic operations and defending government networks and the critical infrastructure of attacks.
Asselin said it included the search for guarantees of CSE’s trust partners that the shared information was eliminated.
“We continue to update our policies and procedures to avoid recurrence,” he said.
CSE did not say how many Canadians were affected or which countries the information was shared, citing operational security.
The details were shared with the Simon Noël Intelligence Commissioner, who raised him in his recently published report.
The commissioner is part of the approval chain against CSE and his sister agency, the Canadian Security Intelligence Service (CSIS), can move forward with certain intelligence and cybersecurity collection activities.
CSE first needs to seek permission from the Minister of Defense, known as Ministerial Authorization, if the proposed action would violate the law or potentially violate the privacy interests of Canadians.
According to the law, ministerial authorizations must demonstrate that activities are reasonable, necessary and that there are measures to protect the privacy of Canadians.
The Intelligence Commissioner then provides a supervision layer and signs the mission, approves with conditions or denies the application directly.
Noël also ensures that CSE remains compatible after receiving the green light and adheres to what was approved, which was not the case in this issue of information exchange.
The commissioner’s report does not include many details, citing national security.
CSE says that data shared between 2020 and 2023
The case will be included in the Annual CSE report, which is expected at the end of this month, said Asselin.
Noël’s report said he urged the intelligence agency to be the most transparent of the possible incident.
It does not seem that the people involved were alerted, although CSE said that the incident of their supervision and review agencies, including the privacy commissioner office.
“The dissemination of this incident that involves CSE raises many serious concerns,” said Matt Malone, director of the Canadian Internet policy and clinic of public interest.
The professor of the University of Ottawa said that the findings justify many of the fears raised by civil society groups about the potential to exchange inappropriate information in the project of cybersecurity law of the liberal government. The first iteration of the bill died when the Chamber was proper at the beginning of this year, and was reintroduced by the government of Prime Minister Mark Carney as bill C-8.
If approved, the industries regulated by the federal government would have to inform cybersecurity incidents to CSE, which means that it would be in possession of more information.
“All this is very bad for the state of privacy protection in Canada,” Malone said.
“Three of the eight government bills presented so far in this Parliament are extremely corrosive privacy.”
In 2024, the information commissioner received 13 ministerial authorizations for the review, seven related to CSE activities and six related to CSIS activities. He approved the activities in 11 authorizations, approved the activities with conditions in one authorization and partially approved the activities in the other authorization.
