Corp Comm Connects


CSIS kept ‘all’ metadata on third parties for a decade, top secret memo says
Top secret memo suggests large scale for CSIS metadata program, Federal Court ruled keeping the data was illegal in 2016.

thestar.com
By ALEX BOUTILIER
June 8, 2017

When CSIS intercepted the communications of innocent people between 2006 and 2016 “all” the metadata related to those communications was retained in a controversial database, a top secret memo obtained by the Star suggests.

The document relates to CSIS’s Operational Data Analysis Centre (ODAC) and a now-discontinued program that stored data intercepted from the service’s targets - and people who were in contact with them at the time.

The Federal Court ruled in 2016 it was illegal for the service to indefinitely keep data on people who posed no threat to Canada’s national security - such as the family, friends or coworkers of CSIS targets - for future analysis.

While the basics of the program were revealed in heavily censored court documents, the scale of the program is not widely understood. CSIS told parliamentarians earlier this year that it didn’t know how many Canadians were caught up in the ODAC.

But in an October 2016 memo to Public Safety Minister Ralph Goodale, outgoing Canadian Security Intelligence Service director Michel Coulombe suggested the court’s ruling would have a significant impact.

“Though (CSIS) may continue to retain associated data linked to a target’s communications, it will no longer be able to retain (metadata) linked to third-party communications found to be unrelated to threats,” Coulombe wrote in the memo, stamped Top Secret and obtained under access to information law.

“This is a shift from current practice, as since 2006, CSIS has retained all (metadata) and inserted it into ODAC for future investigative purposes.”

According to court documents, CSIS set up the ODAC in 2006. While the agency notified then-Public Safety minister Stockwell Day about the program, it’s not clear how detailed the briefings to Day or subsequent ministers were.

CSIS would lawfully obtain a warrant to intercept a target’s communications, but would then feed the details about those communications - “metadata” such as phone numbers, location data, time of call, etc. - into the ODAC databases. That included the target’s communications, but also data on “third party” or “non-threat” individuals who were connected to the target.

The data allowed CSIS to deduce “specific, intimate insights into the lifestyle and personal choices of individuals” who posed no threat to Canada’s national security, according to court documents. Moreover, CSIS failed to tell federal court judges that information gleaned from warrants they were requesting was being fed into the database.

CSIS agreed with the decision and halted “internal use and analysis of all (metadata)” related to third parties, according to the documents. The court also imposed restrictions on how long CSIS can retain and analyze data about third parties, although they were censored from the court documents.

But the documents obtained by the Star show the restrictions under which CSIS must now operate.

“Upon successful decryption or decoding, (CSIS) will have six months to assess information and communications that are obviously unrelated to a target or threat,” Coulombe wrote.

“(CSIS) will continue to have 12 months for other communications and information.”

According to the memo, CSIS was told to have the new rules in place by January.

Coulombe noted in his memo to Goodale that CSIS believed they were operating lawfully, based on advice from Department of Justice lawyers. Goodale, along with Justice Minister Jody Wilson-Raybould, have ordered a review into the matter.

Goodale’s office said Thursday that both the Department of Justice and CSIS have worked to improve transparency in dealing with the courts, releasing an “action plan” to address findings by Federal Court Justice Simon Noël in November 2016.

“The action plan focuses on accountability, governance, scanning, responsiveness, training and facilitating the work of the Federal Court on warrants,” Scott Bardsley wrote in an email.

In a statement Thursday evening, CSIS spokesperson Tahera Mufti reiterated that all the ODAC data was collected legally via court warrants over the years. The Federal Court did not rule the collection of third-party metadata was illegal - just the indefinite retention.

Mufti also confirmed the new six-month period to assess whether metadata is relevant to a CSIS investigation.

“CSIS has implemented new retention practices for information, including associated data (metadata), collected via warrant that are in compliance with (Noël’s) decision, which will allow ODAC to recommence its analysis of newly acquired associated data,” Mufti wrote.

“ODAC historical metadata holdings remain fenced off, and unavailable for use, until a final decision regarding their disposition is made.”