Lingering concerns about intelligence security

More than three years after he was arrested and charged with violating the 2021 Security of Information Act, Cameron Ortis, former director-general of the RCMP’s National Intelligence Coordination Centre, is free on bail for a second time. His trial on Ontario Superior Court had been due to begin in September but has been postponed until October 2023 because he had to find a new lawyer when his initial counsel was appointed to the bench.

Arrested in September 2019, Ortis, now 50, was released on bail a month later and ordered to live with his parents in British Columbia, but that was revoked a short time later and he has been in custody ever since. Ontario Superior Court Justice Robert Maranger, who presided over the new bail hearing, granted Ortis’ re-release December 20, but the evidence and testimony presented in court are subject to a publication ban.

His arrest followed the discovery during a joint investigation by the RCMP and U.S. and Australian authorities that there was a mole or “internal corruption” within the RCMP. That investigation focused on a company, Phantom Secure, whose Vancouver-based founder was arrested in Bellingham, Washington, in March 2018.

Ramos soon turned state’s witness, handing over log-in details to his encrypted network but insisted that that he did not know the identities of many of his clients. However, the FBI said they included “high-level drug traffickers and other criminal organization details” and Ramos was sentenced in 2019 to nine years in prison.

Ortis had had a fast-track career within the RCMP. While earning a doctorate in political science from the University of B.C. an expressing interest in digital security, he became a recruitment target of government and the private sector and, according to his LinkedIn profile, began working for the federal government in 2007. While Ortis was circumspect about the details of his work, his UBC thesis adviser said “he was working for the RCMP, and I knew that he was in a position of some considerable responsibility and sensitivity.”

His work afforded access to both domestic and foreign intelligence, notably the Five Eyes group through which Canada has shared information with Australia, Britain, New Zealand and the U.S. since the 1940s. Court documents show that the intelligence community was rightly worried about how this kind of breach would be received within the Five Eyes.

The Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), which is home to the Canadian Centre for Cyber Security (CCCS), agreed early on that if material seized by the RCMP had been released, “a foreign intelligence agency (could) draw significant conclusions about allied and Canadian intelligence targets, techniques, methods and capabilities.”

But there remains the question of why Ortis had not been polygraphed ¾  a perceived security gap and argument for better recruiting and screening of personnel – even though the technology’s accuracy has been questioned over the years. The NSIRA's predecessor, the Security Intelligence Review Committee, said years ago that it had “grave doubts” and the Supreme Court of Canada ruled in October 1987 (Docket No. 18856) that polygraph results could be introduced in criminal trials because  offend well-established rules of evidence.  as evidence in court.

However, all federal government employees requiring top secret clearance must be polygraphed as a condition of employment, so as Ortis once again awaits trial, the intelligence community is still sorting out its response to the fact that Ortis was not tested.

The NSIRA, an independent body that reports to Parliament, reviews all federal national security and intelligence activities to ensure they are lawful, reasonable and necessary. It has been working for some time on an assessment of the CSE’s internal security program.

Before Ortis’ re-release, FrontLine had asked the NSIRA for an update, specifically whether polygraphs should be a routine part of the recruitment process. “This review is ongoing and NSIRA has no further response at this time,” was the terse but polite response.

So the same question was put to the CSE, where spokesman Evan Koronewski replied that “it would be inappropriate for CSE to comment on the status of NSIRA’s work.” That said, he reiterated that the CSE “values independent, external review of our activities, and we remain committed to a positive and ongoing dialogue with NSIRA and other review bodies.”

Koronewski did explain that the NSIRA “is examining audiovisual recordings of polygraph interviews of a sample of CSE employees, integrees/secondees and applicants.” While officially welcoming the review, he said the CSE’s “only preoccupation is he privacy of our employees” and “we will continue to work with NSIRA to ensure the privacy, personal information, and dignity of CSE employees is protected.”

He had said earlier that “employees expose very personal information during the polygraph examination which is designed to assess factors such as loyalty and reliability” but the NSIRA, which said its methodology will be made public once the report on it work is finished, insisted that “a comprehensive review of security screening practices at CSE, including the use of the polygraph, is not possible without access to security screening files.”

The Public Service Alliance of Canada, which includes some 2,400 CSE employees, has expressed “serious concerns about how the privacy of our members will be protected” and a spokesperson for the Office of the Privacy Commissioner has said it is investigating “several complaints” about NSIRA staff watching the polygraph recordings.

The Commissioner, Philippe Dufresne, appointed in last June, didn’t address specifics in a November 25 speech to the Public Interest Advocacy Centre’s annual dinner, but did offer insight into how he handles his mandate.

“Committed to promoting and protecting the fundamental rights of Canadians, while at the same time ensuring that pragmatic and important objectives are also achieved,” he said that while “technology offers tremendous potential for public- and private-sector innovation, and for improving the lives of Canadians […] protecting privacy will be critical to our success as a free and democratic society, and a key challenge for Canada’s institutions in the coming years.”

He said public and private sector privacy laws must be modernized to respond and adapt to societal and technological changes, and to keep pace with legislative developments in other jurisdictions domestic and international jurisdictions.

Privacy should be a “fundamental right,” Dufresne said, because it not only “supports important public and private interests” but also builds “necessary trusts.” Moreover, protection of personal privacy meant “limiting the collection, use, retention and disclosure of personal information to what is demonstrably necessary and proportional to achieve an organization’s purposes.” It also meant “adequately training those dealing with that information on the importance of protecting privacy, and having monitoring mechanisms in place to ensure that policies are being followed on an ongoing basis.”