Canadians in spy agency crosshairs?
New bill lets CSE into our lives, critics say
The government’s new public safety bill gives new powers to Canada’s foreign intelligence agency that has a growing number of critics worried it will put Canadians in the crosshairs.
The Communications Security Establishment has long had a mandate to focus solely on foreign intelligence. But a recent report by the Citizen Lab at the University of Toronto said the limitation is “largely a fiction” and raised concerns about the agency’s new powers and how they will affect Canadians.
Bill C-59 is winding its way through parliamentary committees and has been touted as the Liberal government’s improved version of the Harper government’s national security legislation, Bill C-51, which also attracted controversy. The Liberal bill creates a standalone act that governs the CSE and, along with an enhanced mandate for cybersecurity, introduces quasi-judicial oversight on the agency in the form of a newly created Intelligence Commissioner.
That enhanced mandate, “extraordinary exceptions” to the CSE’s rule against directing its activities at Canadians and the interconnected nature of the world’s information systems, mean the bill could create a host of new privacy concerns. The Citizen Lab report also points out that, because the agency operates in “near-complete secrecy,” it is “impossible for the public to fully understand” how the new act will modify or enhance the CSE’s power.
The bill specifically makes an exception to the agency’s mandate to steer clear of Canadians when it comes to collecting “publicly available information.” NDP MP Matthew Dubé spent his entire allotted time at a committee hearing trying to find out why that exception is needed and what it will be used for.
“Is there not a concern that we can start going through someone’s social media information that might be public, creating profiles of people who might not necessarily be national security threats, and having this data stored?” asked Dubé.
CSE chief Greta Bossenmaier said the provision would be used for “basic research,” such as when the agency is issuing a cybersecurity report and wants to refer to public documentation about a breach or incident.
“We don’t have a mandate to focus on Canadians,” she said.
In an interview, Dubé said he wasn’t satisfied with that answer, and the Citizen Lab report went further, saying that, despite the mandate, this doesn’t require authorization from the minister or intelligence commissioner. That means protections and limitations for Canadians only apply if CSE believes the practices around publicly available information contravene a Canadian law or the charter.
The Citizen Lab report concedes that, due to the CSE’s wide mandate for sweeping up data, Canadian information will inevitably be collected and recommends the agency keep statistics about how often that happens and when it is disclosed domestically.
The report also raises the alarm about “a loophole which would allow the (agency) to cause death or bodily harm, and to interfere with the “course of justice or democracy.”
Restrictions against these activities only appear under defensive and active cyber operations, creating a possibility they are not prohibited while the agency is conducting foreign intelligence. The report argues this is probably a drafting error, but a possibly dangerous one nonetheless. The report also points out that the wording allows for “creative” interpretations of the word democracy, and possibly allows for interference in the political affairs of countries not deemed democratic.
The bill also gives the CSE the power to use its defensive tools on private critical infrastructure on Canadian soil to prevent cyber attacks, similar to how it currently protects government systems. That, according to the Citizen Lab, is an “exceptional departure” from the legal framework the CSE currently operates in.
It means the CSE can access any information hosted on or travelling through systems in sectors the minister has deemed “critical,” like banking, telecommunications and energy. The CSE can only retain information relating to Canadians when it is essential and that information can only be disclosed to protect public or private infrastructure from harm. But the minister has the authority to designate the ability to receive these disclosures to anyone — in government or in the private sector.
But according to Public Safety Minister Ralph Goodale, “without this authority, you have to sit back and wait to be attacked, even though you know it’s going to happen. You’re not in a position to be proactive. With the new authorities, CSE would be able to identify a very likely attack and be more proactive in preventing it from happening, rather than to try to clean up the mess after it has happened.”
The CSE reported that in 2015, the government itself was threatened by cyber attacks about 50 times a week, and two per cent of those attempts actually breached federal systems.
This year, both credit reporting agency Equifax and Uber suffered high-profile cyber attacks — and a September report on cyber security from the ministry of Public Safety department warned that “progress to secure systems of importance to Canada has been limited.”
The report also described confusion among private infrastructure operators about where the government’s point of contact was for reporting cyber attacks or seeking advice on how to thwart them.