The government's electronic eavesdropping agency did not track the online activities of Canadians during a controversial study of wireless communication at airports, a federal watchdog says.
The independent body that monitors the Communications Security Establishment Canada (CSEC) says the spy agency's metadata analysis effort was not about mass surveillance or monitoring Canadians.
The watchdog's assurances, however, left analysts with lingering questions about just what CSEC legally can — and should — do when it comes to sifting through digital communications that inevitably include Canadian content.
A CSEC document obtained last month by CBC — originally leaked by former U.S. spy contractor Edward Snowden — suggested information was taken from an unidentified Canadian airport's free Wi-Fi system over a two-week period to conduct the trial.
In a new posting on its website, the CSEC watchdog says it has received a briefing from the spy agency, questioned employees involved in the project, and examined results of the data-crunching activity at issue.
"This activity is used by CSEC to understand global communications networks," said the watchdog's office, which is led by Quebec judge Jean-Pierre Plouffe. "We concluded that this CSEC activity does not involve 'mass surveillance' or tracking of Canadians or persons in Canada."
Ottawa-based CSEC has a mandate to monitor foreign computer, satellite, radio and telephone traffic of people, countries, organizations and terrorist groups for information of intelligence interest to Canada. It works closely with similar agencies in the United States, Britain, Australia and New Zealand.
The CBC story prompted a storm of concern about invasion of Canadians' privacy, putting Defence Minister Rob Nicholson — who is responsible for the eavesdropping agency — on the ropes during the House of Commons question period.
Liberal MP Scott Brison said MPs spend a lot of time in Canadian airports during their travels, using their wireless Internet access to stay connected and send e-mails containing personal information about constituents.
"Will the government notify any members of Parliament or Canadians who have been caught up in this data sweep?" Mr. Brison asked. "Will the minister initiate his own investigation into CSEC's activities, to reassure Canadians that their privacy has not been violated?"
The watchdog says in the new posting that such surveillance did not occur, adding that if CSEC were tracking the movements or online activities of people at a Canadian airport, that would be illegal.
Justice Plouffe's statement that "no CSEC activity was directed at Canadians or persons in Canada" begs legal interpretation, said Craig Forcese, an associate law professor at the University of Ottawa.
These doubts should be assuaged with real law, he wrote on Thursday in a blog posting. "And so the government needs to show its legal cards. It is long past the time when a bare assertion of legality suffices, when that assertion is based on a legal theory that no one outside of government has seen."
Intelligence expert Wesley Wark, who also teaches at the University of Ottawa, said he was curious about how and why Justice Plouffe's office arrived at its conclusions, and whether the airport Wi-Fi exercise had appropriate levels of internal approval at CSEC.
Overall, Justice Plouffe must "get used to providing full public explanations for his findings," not brief summary judgments, if he is going to "satisfy skeptical Canadians that he is truly independent and truly capable of holding CSEC to account," Mr. Wark said.
The CSEC watchdog's comments echoed those of spy agency chief John Forster, who told a Senate committee shortly after the CBC story that CSEC was merely collecting electronic metadata — data trails about messages, essentially — and not the actual content of those messages and calls.
Mr. Forster said CSEC aimed to build a mathematical model to help determine a communication pattern at a public location, in this case an airport.
The May, 2012, CSEC presentation leaked to CBC says the project could help security officials locate a kidnapper making ransom calls.
CSEC is forbidden from targeting the private communications of Canadians such as e-mails and phone calls. However, metadata are not considered private communications for the spy service's purposes.
Some civil libertarians, privacy advocates and academics say CSEC's metadata monitoring is worrisome because even such seemingly innocuous routing codes and digital stamps can reveal much about someone, such as their location and who they are contacting.
Bill Robinson, who has kept a close eye on CSEC for years, wondered on Thursday how far the agency's metadata collection and use go.
"Is CSEC currently collecting a comprehensive, or near comprehensive, or any kind of ongoing database of metadata concerning communications-related activity in Canada?" he wrote on his blog.
"And is it analyzing those activities for information relevant to its foreign intelligence targets, such as visits to websites associated with suspect causes?"
Mr. Forster has denied CSEC uses metadata to build profiles of Canadians. Rather, it helps the agency screen out the content of Canadian messages, he told the senators.
In a recent court filing, CSEC says metadata also help it identify malicious foreign cyber-activity and better understand and discover foreign targets. "Metadata allows CSE, usually through automated tools, to filter information found on the global information infrastructure without looking at the content of any communications."
The watchdog's office says it is doing an in-depth review focused exclusively on metadata.
Mr. Wark said he suspects Canadians will not see the results of that review until summer or fall of next year.