The federal government's secretive electronic intelligence agency is not disclosing how long it can hold onto Canadians' communications – even though its leaders have said that "firm" time limits are in place to protect privacy.
The strictures surrounding Communications Security Establishment Canada's data-retention periods – including those affecting recognized "private communications" and also "metadata" – are blacked out from an operational document obtained by The Globe and Mail.
The redactions of this document are so extensive that little is revealed, beyond the latest indication that CSEC is drawing from unspecified sources within Canada.
"The retention schedules outlined in these procedures deal with SIGINT [signals intelligence] data acquired from Canadian [word redacted] sources," it says.
CSEC came under fire this winter for violating privacy, after a leak showed that a "Canadian special source" – never described further – had helped the agency identify and track Internet-using devices that had passed through a Canadian airport.
In February, CSEC chief John Forster responded to criticisms by telling a parliamentary committee that such activities are fully legal, and in keeping with the secret orders the agency gets from Minister of National Defence Rob Nicholson. "The data wouldn't be retained any longer than we needed it for that exercise, and the ministerial directive has a firm end-of-retention date," he said.
No specific time periods were mentioned. And the Canadian agency's closest ally is less secretive on such matters. "Inadvertently acquired communications of or concerning a United States person may be retained no longer than five years," reads a declassified National Security Agency document.
Formed in the wake of the Second World War, both CSEC and the NSA have traditionally operated as "foreign intelligence" agencies whose spying machinery pointed outward.
Yet over the past 15 years, haphazardly travelling Internet communications became ubiquitous, prompting executive-branch politicians on both sides of the border to give these agencies latitude to "inadvertently" intercept some citizens' communications and data traffic. The stated hope is that intercepting, analyzing and storing such data can point the way to valuable foreign intelligence.
"Any private communications that were retained and used by us – the number is quite small," Mr. Forster said during parliamentary testimony in April. Two years ago, a federal watchdog body said CSEC's retention policies are "reasonable."
The "Retention Schedules for SIGINT Data" document, newly disclosed under Access to Information laws, indicates a complex calculus is at play.
A chart where boxes are largely blacked out suggests that retention periods can differ depending on which of the CSEC's three mandates is engaged to intercept communications – foreign intelligence, cyber defence, or in helping other federal agencies.
Retention periods are also governed by whether CSEC intercepts full communications or just "metadata" traffic, whether the underlying information is considered "essential" – and especially whether a known "private communication" of a Canadian has been caught.