Canada's Federal Court has rapped the Canadian Security Intelligence Service's (CSIS) knuckles for retaining too much citizen metadata.
Its judgement (in a secret case, with relevant names redacted) was handed down in October and published last Thursday.
Justice Simon Noel was more than peeved that the CSIS gathered data under warrants, but didn't inform the court of the data collection program – and did so for as long as 10 years.
The judgement outlines that the CSIS interpreted its mandate as giving it the right to suck everything it collected into its “Operational Data Analysis Center” (ODAC). When it created the ODAC (in April 2006), it told its minister, then Conservative MP Stockwell Day – but it failed to tell the courts.
Essentially, the spooks used warrants to collect legitimate information – and to go on fishing expeditions, gathering “associated data” the court didn't know about.
The judgement says the CSIS “had an obligation, beginning in 2006, to fully inform the Court of the existence of its collection and retention of associated data program”.
It did not do so until 2016, even though it frequently appeared in in-camera hearings on an ex parte basis.
Its status in court meant “the CSIS had an elevated obligation to inform the Court of the use it was making of non-threat-related information collected through the operation of warrants”, but “it failed to do so.”
The judgement also criticises the CSIS for collecting and retaining “associated data” that had no relevance to security investigations.
“I conclude that the retention of associated data falls outside the CSIS’s legislatively defined jurisdiction and does not respect the CSIS’s limited primary mandate and functions,” the judgement states.
Justice Noel adds that “the rule of law must prevail”, and that limits imposed by legislation “must be respected”.
CBC carries an apology by CSIS director Michel Coulombe, along with an assertion that the data collection was mostly legal.
Coulombe said: “All associated data collected under warrants was done legally. The court's key concerns relates to our retention of non-threat-related associated data linked with third-party communication after it was collected.”