One of Canada’s intelligence agencies says it “improperly” shared information about Canadians that it had obtained “incidentally” with international partners.
The Communications Security Establishment (CSE) shared some details about the incident after the intelligence commissioner — the quasi-judicial position that reviews the cyber spy agency’s activities — flagged the case in his annual report tabled in Parliament earlier this week.
CSE spokesperson Janny Bender Asselin told CBC News that last year the agency had to notify the defence minister “of an incident where CSE improperly shared information.”
“CSE identified an activity where, between 2020 and 2023, we shared some information with international partners without properly removing Canadian information that had been acquired incidentally when targeting valid foreign intelligence targets,” she said.
“CSE acted quickly to contain the issue.”
The CSE is considered one of Canada’s intelligence crown jewels, responsible for intercepting and analyzing foreign electronic communications, launching cyber operations and defending the government’s networks and critical infrastructure from attacks.
Asselin said that included seeking assurances from CSE’s trusted partners that the shared information was deleted.
“We continue to update our policies and procedures to prevent reoccurrence,” she said.
CSE did not say how many Canadians were impacted or to which countries the information was shared, citing operational security.
Details were shared with Intelligence Commissioner Simon Noël, who raised it in his recently published report.
The commissioner is part of the chain of approval before CSE and its sister agency, the Canadian Security Intelligence Service (CSIS), can go ahead with certain intelligence-gathering and cybersecurity activities.
CSE first needs to seek permission from the minister of defence — known as ministerial authorization — if the proposed action would otherwise break the law or potentially infringe on the privacy interests of Canadians.
Under the law, ministerial authorizations must prove the activities are reasonable, necessary and that measures are in place to protect Canadians’ privacy.
The intelligence commissioner then provides a layer of oversight and either signs off on the mission, approves with conditions or denies the request outright.
Noël also makes sure CSE remains compliant after receiving the green light and sticks to what was approved — which was not the case in this information-sharing matter.
The commissioner’s report doesn’t include many details, citing national security.
CSE says data shared between 2020 and 2023
The case will be included in CSE’s own annual report, which is expected later this month, said Asselin.
Noël’s report said he urged the intelligence agency to be as transparent about the incident as possible.
It doesn’t appear the individuals involved were alerted, although CSE said it reported the incident to its oversight and review bodies, including the Office of the Privacy Commissioner.
“The disclosure of this incident involving CSE raises many serious concerns,” said Matt Malone, director of the Canadian Internet Policy and Public Interest Clinic.
The University of Ottawa professor said the findings justify many of the fears raised by civil society groups about the potential for inappropriate information in the Liberal government’s cybersecurity bill. The first iteration of the bill died when the House prorogued earlier this year, and it was reintroduced by Prime Minister Mark Carney’s government as Bill C-8.
If passed, federally regulated industries would have to report cybersecurity incidents to CSE, meaning it would be in possession of more information.
“All of this bodes very poorly for the state of privacy protection in Canada,” Malone said.
“Three of the eight government bills introduced so far in this Parliament are extremely privacy-corrosive.”
In 2024, the information commissioner received 13 ministerial authorizations for review — seven relating to CSE activities and six relating to CSIS activities. He approved the activities in 11 authorizations, approved the activities with conditions in one authorization and partially approved the activities in the other authorization.
