The federal government's privacy czar says Canadians should take "with a big grain of salt" suggestions from Defence Minister Harjit Sajjan that the spy agency he runs is not being invasive.
In fact, Privacy Commissioner Daniel Therrien says Mr. Sajjan and the Communications Security Establishment should be more explicit about how the CSE collects and analyzes the phone and Internet exchanges of Canadian citizens that it captures while gathering intelligence on foreigners.
"When the government, the [Communications] Security Establishment, the Minister of National Defence say, 'Don't worry, the risk is low,' in part because 'it's only metadata, it's not content' – take that with a big grain of salt," Mr. Therrien said on Wednesday.
"Metadata can actually be quite revealing" and "can say a lot about a specific individual," he said during a keynote address at the Canadian Telecom Summit in Toronto.
The remarks from Mr. Therrien, a former Department of Justice lawyer versed in intelligence matters, allude to a looming legal showdown.
CSE is run on secret orders from the defence minister, and targets the communications of foreigners, who have no inherent privacy rights in Canada.
Yet civil-liberties groups in lawsuits, and watchdog bodies in published reports, are suggesting Canadian communications are becoming collateral damage in CSE's technological spying campaigns. They are telling judges the indiscriminate nature of modern surveillance may violate the Charter of Rights and Freedoms, and its rules against illegal search and seizure.
The crux of the issue is "metadata" – or logs of phone and Internet communications.
Intelligence analysts for CSE capture, share and sift through this material in massive quantities in partnership with allies in the United States, Britain, Australia and New Zealand. Collectively known as "The Five Eyes," this alliance gives Ottawa officials extraordinary insights into what foreigners are doing and saying.
In Canada, information captured during its operations that would identify citizens is supposed to be taken out before the data are shared.
Last week, however, The Globe and Mail reported on court filings that said CSE's watchdog agency had determined the spy agency broke the law by inadvertently providing allies with the logged phone and internet activities of Canadian citizens. That led the watchdog to demand last year that Mr. Sajjan urgently clarify laws for the spy agency.
No such clarifications are known to have been made. And while CSE officials and Mr. Sajjan acknowledged the issues publicly in January, they played down the impact. "The metadata in question that was shared with Canada's partners did not contain names or enough information on its own to identify individuals. Taken together with CSE's suite of privacy protection measures, the privacy impact was low," the Defence Minister said in a statement at the time.
A spokesman for CSE reiterated that this week. "The possible impact on any Canadian is further reduced through other safeguards and privacy protections in place, applied by both CSE and its Five Eyes partners," Ryan Foreman said in an e-mailed statement.
Just how CSE collects metadata is a state secret. But Mr. Foreman said his agency puts its probes in places that are guaranteed to garner mostly foreigners communications.
Even so, the privacy issues and legal quandaries have led CSE to suspend sharing some metadata it collects with Five Eyes allies for more than two years. But "this has not affected CSE's standing with partners," Mr. Foreman said.
The Office of the Privacy Commissioner of Canada will officially weigh in on the matter in a report in the fall, but Mr. Therrien warned on Wednesday against taking the matter too lightly. "Government institutions ... should not underestimate what metadata can reveal about an individual," he said in his speech.
Mr. Therrien also used his speech to highlight a 2014 top court ruling that Canadians' Internet activities are presumed to be private, and therefore off-limits to any government agent who does not have a judge's permission to collect such material.
This has implications for CSE, because the language in the agency's "metadata ministerial directive" from cabinet could now contradict guidance from the highest court in the land.
Yet the spy agency does not believe the case, known as Regina versus Spencer, has much bearing for what it does.
"The Spencer case related to the disclosure of subscriber information from telecommunications companies to police for law enforcement purposes, which is not related to CSE's foreign intelligence and cyber defence activities," said Mr. Foreman, the agency spokesman.
More broadly, several Canadian corporations have lately voluntarily disclosed just how much data they are handing over to police. This is being done in annual "transparency reports." Of Canada's three largest wireless carriers, Rogers and Telus have published such reports – BCE (Bell Canada) has not.
Mr. Therrien is urging all carriers to "get on board."
"I think Canadians are telling us, first of all, that they would much prefer that data be shared from telcos to government only with a warrant, with a court authorization. But when that does not happen, Canadians expect that there be transparency," he said.
Mr. Therrien told reporters after his speech that "frankly, if there's not more progress I will continue to call for legislation on this issue."