In a guest post on JustSecurity co-authored with Tamir Israel of the Canadian Internet Policy & Public Interest Clinic (CIPPIC), Citizen Lab Postdoctoral Fellow Christopher Parsons urged a revaluation of Canada’s intelligence sharing with its Five Eyes allies. Last week, Communications Security Establishment commisioner Jean Pierre Plouffe explained in his annual report that certain types of metadata was not being appropriately protected before being shared with Five Eyes allies, leading the Canadian government to stop sharing this information. CSE’s methods of de-identifying metadata with Canadians’ personal information failed to keep Canadians anonymous when juxtaposed with allies’ re-identification capabilities. Though it has a broad mandate to gather intelligence on non-nationals, CSE is barred from directing activities at Canadians.
After it started to share Canadian metadata with Five Eyes allies in 2011, CSE relied on de-identification techniques to adhere to the prohibition on directing its activities at Canadians. Canadian National Defence Minister Harjit Sajjan explained in a statement accompanying the CSE annual report, which first identified this de-identification failure, that technical deficiencies in the de-identifiication systems produced the failure, leading them to stop sharing “certain types of metadata.”
Christopher Parsons and Tamir Israel said of the process that “identity suppression in metadata is an inherently difficult activity. Any de-identified dataset of sufficient volume and utility will be subject to ongoing risks of re-identification.” They added: “In other words, de-identification is not absolute, and will always entail tradeoffs between the ongoing utility of a dataset and minimizing the risk that some or all of the data therein will be traceable to an individual, based on established priorities.”
In another interview with The Province, Christopher Parsons commented on the recent case of a Canadian man whose credit card information was stolen by a thief, who then racked up $11,000 of spending on his card. Major Canadian banks have shifted over to chip and PIN technology since 2008, replacing magnetic stripe and signature. “The chip and PIN is a dramatic improvement over the old technology (of magnetic stripe and signature) but it is not infallible by any stretch,” Christopher Parsons said. However, the chip and PIN technology has since been used by banks to shift responsibility for fraud to users, “which is good for banks and bad for you and me,” Parsons concluded.