Metadata and Second Parties

The Guardian has an article concerning the discussions at a metadata conference held by the Five Eyes partners at GCHQ's headquarters in Cheltenham in April 2008 (Ewen MacAskill, James Ball & Katharine Murphy, "Revealed: Australian spy agency offered to share data about ordinary citizens," Guardian, 2 December 2013). The article, based on another of the documents leaked by Edward Snowden, is focused on Australia's agency, the Australian Signals Directorate. But it also provides some information on CSEC's policy towards metadata at that time.



As the snippet above shows, the leaked document, a draft set of minutes for the metadata conference, reports that

CSEC are able to make use of unselected metadata for developing their capability. However, bulk, unselected metadata presents too high a risk to share with second parties at this time, because of the requirement to ensure that the identities of Canadians or persons in Canada are minimised, but re-evaluation of this stance is ongoing.

In the context of the Guardian story, CSEC's approach shows commendable concern for privacy compared to ASD's comparative lack of concern.

However, the snippet raises a number of important questions about CSEC and metadata.

• The snippet suggests that CSEC had access in 2008 to "bulk, unselected metadata" pertaining to the communications of Canadians and persons in Canada. How much bulk metadata pertaining to Canadian communications did CSEC have access to? On what legal grounds? And for what purpose? What access does CSEC now have?
  
  
• The snippet also suggests that CSEC would have been willing to share such data with its Five Eyes partners as long as Canadian-related identity information were "minimised". Was this eventually done? And what would minimization entail? What procedures would be put in place for other countries to retrieve Canadian identity information when that data is deemed relevant to further investigations?
  
  
• The snippet reports that "re-evaluation of this stance is ongoing." What decisions were eventually made? A new version of CSEC policy document OPS-1-10 (Procedures for Metadata Analysis [redacted]) was promulgated in September 2008. Did this document contain changes in CSEC's procedures for sharing metadata? What is the current procedure?
  
  
• There is evidence that NSA (and presumably Canada's other Five Eyes allies) currently do have access to a significant amount of Canadian metadata. Is this data supplied by Canada? What privacy rules are in place concerning the content and use of this data?