Canada’s spy agency may have broken the law by using peoples’ digital geolocation data without a warrant, a newly released watchdog report says.
The report, tabled in Parliament late Friday, says the Canadian Security Intelligence Service’s use of the data pinpointing physical locations risked breaching Section 8 of the Charter of Rights, which protects against unreasonable search and seizure.
The National Security and Intelligence Review Agency’s report found CSIS lacked the policies or procedures to ensure it sought legal advice to avoid unlawful use of the data.
It reveals the review agency submitted a report in March to Public Safety Minister Bill Blair describing the possible unlawful activity.
The agency must refer to the relevant minister any national security or intelligence activity that might not be in compliance with the law, and the minister must then forward the report to the attorney-general.
Representatives of Mr. Blair and Attorney-General David Lametti had no immediate comment.
“On a few occasions in recent years, CSIS used new collection techniques without first fully understanding and addressing their legal and policy implications,” the watchdog report said.
“In these cases, legal and policy work lagged behind the operational imperative to maintain and improve collection capabilities. This risked – and at times compromised – the lawfulness of the collection activity and the privacy of Canadians.”
The geolocation data review “raised pressing questions” regarding the use of data that is publicly available, but that nevertheless engages a person’s reasonable expectation of privacy, the watchdog said.
The primary objective of the review was to assess whether CSIS’s collection of geolocation information was compliant with the charter and the CSIS Act, as well as ministerial direction and operational policy.
The watchdog concluded that, in most cases, CSIS will need a court-approved warrant to collect a person’s location information.
It recommended that CSIS review its use of the geolocation data it collected and make a determination as to which of the operational reports generated through the use of this data are in breach of the charter.
Any such reports or documents flowing from the results should be purged from CSIS systems, the review agency added.
CSIS spokesman John Townsend said Friday the intelligence service identified possible legal risks and sought advice from the Department of Justice, although he did not say when precisely CSIS did so.
“As a result of advice from the Department of Justice, CSIS sequestered information collected by the tool so that an in-depth assessment could be undertaken to ensure that any collected information was lawfully obtained,” he added.
The watchdog review also found that CSIS overlooked “multiple indicators” that using this data might prompt legal issues, including internal discussions early on, when concerns about legal risk were raised.
The watchdog urged CSIS to develop policy that would require a documented risk assessment, including legal risks, in situations when information collected through new and emerging technologies may contain private information.
In addition, the review found that there was no policy centre clearly responsible for the use of the data.
“This was supported by an examination of CSIS’s policies and procedures in place at the time and that guided the decision to authorize the initial use of the data for a trial period,” the report said.
“The review pointed to three discrete units involved in the acquisition, assessment and approval of the data for the trial period. Ultimately, however, the review was unable to identify which of the three units should have had responsibility for the assessment of this type of data.”
Our Morning Update and Evening Update newsletters are written by Globe editors, giving you a concise summary of the day’s most important headlines. Sign up today.