The national spy watchdog is calling on the military’s counter-intelligence unit to suspend investigative searches of a workplace computer system over concerns about employee privacy.
A National Security and Intelligence Review Agency report released Thursday says Defence employees and Armed Forces members have a reasonable expectation of privacy when making personal use of work computers.
Acceptable personal use can include communicating with family and friends, online shopping and accessing news or other information.
A checklist used by the Canadian Forces National Counter-Intelligence Unit for electronic investigative searches had the potential to capture intimate and personal information protected by the Charter of Rights, the review agency found.
The unit investigates and counters threats by foreign intelligence services, individuals and groups engaged in terrorism, espionage, sabotage, subversion or organized criminal activities that affect the security of the Defence Department or the Armed Forces.
The review agency says the unit’s electronic search practices lacked sufficient legal oversight to ensure they were as minimally invasive as possible.
As a result, the watchdog recommends Defence and the Armed Forces suspend such counter-intelligence searches until a reasonable legal authority is in place.
Once legal authority is established, authorities should create a new policy framework reflective of the review agency’s findings, including the principle that searches be minimally intrusive, the report adds.
The Defence Department had no immediate comment on the recommendations.
The report says Defence policy recognizes there is only a limited expectation of privacy when using work computer systems because they are subject to monitoring for purposes of system administration, maintenance and security, and to ensure compliance with federal directives and standards.
Even so, the review agency says, it is nonetheless a reasonable expectation of privacy protected by the Charter guarantee against unreasonable search or seizure.
The review agency acknowledges that Defence has “a legitimate interest” in safeguarding its resources.
“However, the ’finer points’ of an employer’s right to monitor computers issued to employees has been left by the Supreme Court for another day,” the report says.
“While the law on employee computer searches continues to evolve, a reasonable expectation of privacy is subject to state intrusion only under the authority of a reasonable law.”
A search conducted without a warrant is presumptively unreasonable and contrary to the Charter, the report says.
It notes that in the absence of a warrant, the Crown must establish on a balance of probabilities that the search was authorized by law, that the authorizing law was itself reasonable and that the authority to conduct the search was exercised in a reasonable manner.
The review agency says it is concerned the counter-intelligence unit “has not adequately considered their legal authorities to determine whether they have reasonable lawful authority to conduct warrantless searches” for investigative purposes.
The report also expresses concerns about metadata — information associated with a communication, but not the message itself.
The counter-intelligence unit receives metadata such as the names of the sender and recipient, as well as the subject line and any attachment names.
The review agency notes that metadata can be revealing or intrusive when coupled with other information.
When viewing the information compiled through the checklist in its entirety, it is possible that intimate personal information related to the subject under investigation may be revealed beyond what was initially contemplated or authorized, the report says.
In addition, an email subject line can reveal the content of the communication that it describes, and might be just as sensitive as anything contained within an email, the report adds.
“Therefore, it is inaccurate to consider email subject lines as metadata, rather than content.”