Why do security services need data and should they be allowed to have it?

In the wake of a Canadian Federal Court decision that my former employer – the Canadian Security Intelligence Service (CSIS) – illegally retained data that it had collected legally under a court warrant, the fur is really flying.  Every major Canadian media outlet has been all over this story and the reporting has been uniformly negative.  This is of course no surprise since all reporting on intelligence agencies is generally negative.  After all, writing about when the spies make mistakes is sexier than writing about when they save lives.  Even so, it is easier to point to failure than to success since the latter is often harder to prove.

A lot of concern is being expressed over why agencies like CSIS collect data, what they do with that data and whether they should be allowed to keep that data indefinitely.  People tend to see only nefarious intent and are convinced that spies use their personal data for ill.  They are hence clamouring for that data to be destroyed.  Personally, I see contradictory messaging when it comes to the collection and retention of personal data, a point I will return to later.

So the basic question remains: why do spies need data and should they be allowed to keep it?  The answer to the first question is easy: they collect data to aid in legitimate investigations, whether those investigations are about terrorism or counter espionage or counter proliferation, to name but three types.  These investigations are carried out in direct fulfillment of those agencies’ mandates as spelled out in legislation (such as the CSIS Act).  Information sheds light on who represents a security risk, whom they are contact with, what they are planning to do and how great the threat is.  No data, no investigation.  No investigation, successful terrorist acts.

It is also true, and usually underappreciated, that it often happens that when legitimately looking at Person A, Person B comes into the picture and it turns out that Person B poses a greater threat.  If CSIS were unable to collect that data, and retain it, the chances of success are lower.

Perhaps a concrete example would suffice.  Six years ago, a man called Awso Peshdary was arrested in conjunction with the RCMP’s Project SAMOSSA, a terrorism investigation in Ottawa.  The charges against Mr. Peshdary were dropped, although three other men linked to him did go to trial (which resulted in one guilty verdict, one guilty plea and one acquittal).  If CSIS (or the RCMP) had been obliged to purge Mr. Peshdary’s information from its databases, since it had clearly been determined that his activities were not “threat-related”, it is likely that any future investigation into his activities would have been seriously hampered.  As it turned out, he was re-arrested in February 2016 on different terrorism charges.  More importantly, he was linked to several other Ottawa violent extremists, some of whom are in jail and others dead in Syria, and it is very probable that the data already collected helped in those investigations.

I do think that intelligence agencies have a legitimate and compelling reason to keep the data they collect.  I also think much of the public anger and fury over the retention of metadata is grossly disproportionate for two reasons:

  • what is the big deal of having your name in a CSIS or police database anyway?  If you can be linked to a terrorist threat or criminal conspiracy then I would hope, as would most Canadians I imagine, that the Feds can use that data to stop you before you act. If you are not, then is there really any harm done?  I am having a difficult time understanding how this is an invasion of privacy, especially if we are talking about metadata, where the content of the communications is absent.  I am also scratching my head trying to figure out knowing that you emailed so-and-so on such-and-such a date is a grievous breach of your privacy and a clear window into your activities.
  • I do find that people get all upset about having CSIS hold their data and not at all upset at having FaceBook or Twitter or Amazon or Google or LinkedIn or… holding it.  In fact, there is a much, much greater chance that these corporations will use your personal information to advance their interests and not yours.  You really should be directing your indignation at those guys first.

I have no doubt that for those who see CSIS as the  out-of-control spawn of Satan none of these arguments will have any impact.  I am also quite certain that we will hear from many people who may be experts in privacy issues but absolute amateurs when it comes to national security.  And, since experts on the latter are few and far between, the former will have a greater voice. Not to mention the inexplicable reluctance of our spies to tell Canadians why they really do need to have that data.

We do need to keep our intelligence and security agencies honest and make sure they follow the law.  I happen to think they are doing both and I also know that they do a pretty good job at keeping us safe.  This debate will continue and that is indeed a good thing, but I just wish the conversation were a little less emotional and a little more grounded in reality, including a sincere recognition (and not the lip service I continually  hear)  by the privacy folks that we need to allow CSIS to deal with a very real threat environment.

By Phil Gurski

Phil Gurski is the President and CEO of Borealis Threat and Risk Consulting Ltd. Phil is a 32-year veteran of CSE and CSIS and the author of six books on terrorism.

Leave a Reply