Ottawa's privacy watchdog wants limits on spies' information collecting powers

Privacy commissioner says that just because information may be "publicly-available," it doesn't mean it's automatically fair game for spy agency's.

Thestar.com
March 8, 2018
By Alex Boutilier

The federal privacy watchdog wants limits on spies' new power to collect "publicly-available information," including on Canadian citizens.

Privacy Commissioner Daniel Therrien said Wednesday that just because information may be "publicly-available," it doesn't mean it's automatically fair game for spy agency collection.

"We are of the view that, while the reasonable expectation of privacy attached to publicly-available information is reduced, there remains a residual reasonable expectation of privacy that requires protection," Therrien wrote in a submission to the House of Commons' public safety committee.

Bill C-59, the Liberals' national security overhaul, grants new powers for Canada's electronic spy agency to collect publicly-available information in the course of their duties.

The definition of that information is broad - "very broad," in Therrien's opinion - and includes anything that is "published or broadcast for public consumption (or) is accessible to the public" on the internet. The Communications Security Establishment (CSE) would also be able to purchase databases from private vendors under the new powers.

Critics have warned the new powers open the door for CSE to purchase stolen or hacked material. While CSE says it will not purchase stolen information, C-59 does not explicitly prohibit the agency from doing so.

Therrien also raised the concern data brokers may not obtain Canadians' consent before packaging "publicly-available" information into a database and selling it to spies.

"Will publicly-available information always be lawfully obtained or created by a vendor, including in compliance with Canada's private sector privacy laws, notably its requirement for meaningful consent?" Therrien wrote.

"It is important in a country governed by the rule of law that national security agencies not be able to use the fruits of activities that may not be criminal, but are still unlawful."

Therrien is recommending CSE be limited to collecting only "legally" broadcast publicly available information, and purchase only data that was legally obtained by data brokers — including obtaining consent before collecting information on Canadians.

But in addition to illegally obtained data, the internet abounds with sensitive information that may never have been intended for public broadcast. Think of the 2015 Ashley Madison hack, where 39 million users had their sexual preferences, credit card information, and emails released publicly.

In a statement to the Star in January, CSE spokesperson Ryan Foreman said the agency would not obtain information "unlawfully" released, such as in a leak, or information that was not intended for public consumption. Foreman also said that CSE's overall mandate limits what it can do with publicly-available information on Canadians.

"CSE would not be permitted to use publicly available information to investigate Canadians or build a dossier on them, as CSE does not have a mandate to investigate Canadians," Foreman wrote.

"The intent of the publicly available information provision of the proposed CSE Act (in C-59) is to ensure that CSE is able to conduct basic research in support of its mandates without fear of breaching the restrictions on directing activities at Canadians."

While Therrien acknowledged CSE's public assurances on the issue, he still wants limits explicitly set out in the legislation.

Therrien recommended C-59 be amended to ensure the collection of publicly-available information be "reasonable and proportional" and always consider the "effects on Canadians and people in Canada including their right to privacy."

The House of Commons public safety committee will resume their study of C-59 later this month.