Canada's electronic eavesdropping agency has amassed a huge trove of emails sent to the government, as part of its cybersecurity mandate, according to a leaked secret document Wednesday.
And their retention by the Canadian Security Establishment (CSE) for days, months or years in some cases, is worrying privacy advocates.
Public broadcaster CBC, citing a 2010 document obtained from former US National Security Agency contractor Edward Snowden, said the CSE closely monitors visits to government websites and scans about 400,000 emails per day for suspicious content, links or attachments.
The electronic communications include Canadians' electronic tax returns, emails to members of Parliament and passport applications, the Canadian Broadcasting Corporation said.
The aim is to protect Ottawa from cyber attacks.
"While government cybersecurity is important, there is clearly no cybersecurity need to retain people's private information for months or even years," David Christopher of the non-profit OpenMedia, which advocates for an open Internet.
The CSE's automated surveillance system sifts through the emails and flags about 400 per day, which typically get whittled down by security analysts to four that could be serious threats.
The CSE would then warn the ministries targeted to take countermeasures to protect their computers and networks from hackers, criminals or enemy states.
In addition to the messages themselves, the CSE also holds on to metadata, which identifies who sent an email, as well as when and where.