I think a lot is riding on that word “target” and what you were speaking about in terms of what the CSE presented to the committee.
It's true that the CSE, through its mandate and through the CSE Act, cannot target Canadians, but in collecting signals intelligence and in carrying out their work, including on cybersecurity and protecting cyber-infrastructure, as I mentioned, they collect all kinds of information, and then they sift through it. There's information that's known as unselected information, which is information that is not specifically targeted, but they may accumulate it in carrying out their collections, and then that information is retained, and some of that information may relate to Canadians. That's where they came into problems, as I mentioned earlier, in terms of sharing Canadian information with the Five Eyes and with other countries.
It isn't that they are targeting Canadians—there's that word “targeting”—but rather that they are incidentally collecting that information and retain it, and it is still used in other ways, so that's what we see. When they're pushing up against the boundaries, that's what they do.
There's another category of information, metadata. Metadata isn't the communications themselves; it's all the information around the communication, like who sent the information, who received it, at what time, from where, what kind of software was used and what kind of equipment. There's a debate of long standing around whether or not metadata should be considered private information. It's been clear that metadata taken together can paint a very clear picture of what individuals do and can lead to being able to identify certain individuals, yet the CSE has consistently argued that that doesn't amount to private information. Again, it's not targeting Canadians but collecting that kind of information.
The final thing I'll mention is around publicly available information. Despite every other restriction around the CSE's collection of information, they are allowed to collect publicly available information. Again, they're not allowed to collect information that has privacy impacts on Canadians, but there's still debate around what's considered private information or what maintains a reasonable expectation of privacy. For example, regarding information that we post on social media, there's an argument that it's publicly available information, but at the same time, are we expecting that to be collected, retained and possibly shared by our national security agencies?
That was at the heart of the debate around Clearview AI. They argued that facial images of Canadians online were considered publicly available information and that they could collect it. The Privacy Commissioner ruled that it was mass surveillance and was illegal. When they brought that to the RCMP, the RCMP said that they had no obligation to ensure that if they were working with Clearview AI, they were following Canadian law.
We don't know about the CSE's work on facial recognition technology, but if we can see that with the RCMP and that approach, that definition and the lack of clarity around publicly available information, we have to be worried that the CSE would be interpreting it the same way.