Both of Canada’s spy agencies took serious hits to their credibility Thursday in a pair of reports that slammed the Communications Security Establishment for breaking the law and sharing Canadians’ metadata, and slapped the Canadian Security Intelligence Service with an accusation that it is not adequately dealing with insider threats.

A review by the Security Intelligence Review Committee, the board tasked with after-the-fact review of CSIS’s activities, suggested that the domestic spy agency had significant shortfalls in how it assesses insider threats and tracks and investigates breaches of secure information.

The report flagged multiple issues with how CSIS conducts internal investigations, particularly that employees are insufficiently trained to conduct investigations into the breach of secure information and how to conduct sensitive investigations, and stressed that there is a “haphazard application” of how the agency tracks who accesses sensitive information.

But since modern intelligence agencies are less siloed than those in the past, that could be a big problem, said one former spy.

“I started during the Cold War and in those days, everything was deeply departmentalized because everybody was in fact worried about insider threats, they were worried about that Soviet mole because there had been so many inside operations against Western intelligence agencies,” said Ray Boisvert, former assistant director of intelligence at CSIS. “We’ve completely forgotten about those lessons of the past … I’d have to be worried that we’re not doing enough to look at insiders.”

Boisvert said the current climate of increased information sharing within domestic agencies raises questions about how prepared agencies like CSIS, but also government departments and other national security bodies, are to protect themselves from those who would betray their positions.

“You’ve got to remember the Jeffrey Delisle story,” he said, referring to the former Canadian navy sub-leiutenant who was convincted in 2013 for passing information to the Russians.

“Could that happen again? Absolutely.”

Metadata sharing flagged

The nation’s cyber intelligence agency, the Communications Security Establishment (CSE), was also found to have major problems with how it shares information.

It was found to have shared unprotected metadata about Canadians with Five Eyes allies, with Commissioner Jean-Pierre Plouffe stressing in his annual report to Parliament that the agency needs a new ministerial directive to clarify exactly what its responsibilities are in using and sharing Canadians’ metadata.

“I found that the metadata ministerial directive lacks clarity regarding the sharing of certain types of metadata with Five Eyes partners, as well as other aspects of CSE’s metadata activities,” Plouffe writes in his 2014-2015 report on the agency’s activities.

Metadata consists of information used to identify a communication such as a phone number, internet protocol address or email.

It does not include the content of the communication itself.

Defence Minister Harjit Sajjan said the agency stopped sharing the metadata once it discovered that a technical glitch with its software meant certain types of metadata weren’t being protected before sharing.

Sajjan said the sharing will not start again until he is assured that Canadians’ privacy will be protected.

In a first for the agency, senior CSE officials held a technical briefing after the release of the report and stressed that it would have taken significant analysis to link any of the information that was accidentally provided with specific Canadians — but did not acknowledge suggestions that it would not be difficult for allied countries receiving the metadata to piece it together with information they obtain on their own in order to identify the individual.

The officials refused to say in the briefing how many Canadians had their metadata shared or whether they knew what the exact number is.

Timing raises questions

CSE is prohibited from targeting its activities at Canadians but as the officials noted, it does collect information on threats targeting Canadians from abroad under the National Defence Act and that may incidentally lead to the collection of information about Canadians.

The official would not comment on accusations that this kind of activity could be interpreted as mass collection without a specific target or goal.

It’s also not clear why the CSE’s non-compliance was not shared with Canadians earlier.

The breaches took place in 2014, while the former Conservative government was in power.

“I can’t answer the question about the former government, what their reasons were,” said Sajjan, also noting he does not believe any of the metadata inadvertently shared could have ended up in the hands of any countries beyond the Five Eyes.

“No, the Five Eyes – the agreements that we have in place are solid,” he said.

Neither the Conservatives nor the NDP raised the topic in question period on Thursday, although NDP public safety critic Randall Garrison released a statement to .

“”Reports released today from two of Canada’s surveillance agencies renewed concerns about the threats to privacy and civil liberties in Canada,” Garrison said in the release.

He called for the Liberals to put safeguards in place to ensure that CSE does not violate privacy laws again but did not specifiy what measures he would like to see.

On the SIRC report, Garrison called the issues it raised “equally troubling” and said that allegations in the report that suggest CSIS practices did not follow international law are concerning.

Al Qaeda, Taliban dealings

SIRC said in the report that CSIS lacked a procedure to verify whether its human sources – operatives in the field who feed information back to CSIS employees, or officers – involved in operations against al-Qaeda and the Taliban were in accordance with the United Nations Al Qaeda and Taliban Regulations.

Those rules are binding and, among other things, prohibit the provision of funds to people associated with the Taliban or Al Qaeda.

CSIS expressed concern to then-Department of Foreign Affairs, Trade and Development in 2013 that it worried this rule would limit its human source operations.

It did not pursue the issue though and while it agreed to SIRC’s recommendation that it do regular checks on its human source operations to make sure they are not violating Canadian statute or regulation, CSIS did not mention whether it would do the same for checking with accordance for the United Nations Al Qaeda and Taliban Regulations.