By Christopher Parsons and Lex Gill
Last summer, the government tabled Bill C-59, An Act respecting national security matters. One of the most important sections of the bill, the Communications Security Establishment Act, would establish new rules to govern Canada’s signals intelligence agency, the CSE.
In 2014, documents provided by Edward Snowden revealed that the CSE had collected location data and more about travellers in Canada, spied on files uploaded and downloaded by people around the world, exploited vulnerabilities in a communications program used by hundreds of millions, used innocent people’s computers as proxies in their intelligence activities, and more.
Yet compared to some of Canada’s closest allies, public glimpses into the CSE’s operations have been limited. For example, the activities of agencies like the National Security Agency and the United Kingdom’s Government Communications Headquarters were far more widely exposed, and raised even graver privacy and human rights issues in the process. While some of the secrecy under which these agencies operate is clearly warranted, the CSE’s lack of transparency means it is impossible to fully understand how the agency operates, or how the proposed CSE Act will change elements of its operations.
In addition to the troubling 2014 revelations regarding the CSE’s conduct, it could be reasonable to infer that the Establishment is engaged in other controversial activities similar to those conducted by allied agencies. The few glimpses we’ve had into the secretive agency have shown that the CSE collects similar kinds of data as its counterparts using comparable methods. In short, before having a debate about what the CSE should be allowed to do under the new law, we need to better understand both its past and present conduct.
Journalists and Members of Parliament would be well advised to ask the government:
- The NSA and GCHQ engage in bulk collection of data from telecommunications providers. Does the CSE engage in the bulk collection of data from Canadian telecommunications service providers, satellite communications providers, or undersea cable companies? Would it do so following adoption of the CSE Act?
- The GCHQ has a program whereby it secretly collects images from users’ webcams in the United Kingdom. Does the CSE capture, or plan to capture, unselected or selected images from web cameras that are operating in Canada or elsewhere in the world?
- The NSA has a program that involves intercepting, opening, and modifying computer equipment before it is delivered to the customer. Does the CSE participate in, or plan to engage in the interdiction of computer hardware and modification prior to delivery?
- The NSA paid a security company to deliberately include weakened cryptographic protocols in its products, undermining the security of software for all its users. Does the CSE pay or otherwise encourage private companies to deliberately weaken cryptographic protocols or to insert or maintain security vulnerabilities in their consumer products?
- The NSA and GCHQ have targeted private individuals responsible for operating critical Internet infrastructure with malware in order to collect confidential information they possess or gain access to systems using those individuals’ stolen credentials. Does the CSE target private individuals, like systems administrators, who are identified as being of interest purely because they have access to core Internet infrastructure?
While these questions do not fully account for the activities undertaken by Canada’s closest intelligence allies, they are representative of the intrusive nature and their potential to massively collect domestic and international data traffic and communications alike. Parliament should understand that both the National Defence Act and the proposed CSE Act could allow the Establishment to undertake most, if not all, of the above-mentioned activities in at least some situations. And, while the CSE or its Minister may refuse to respond to these questions, the public and parliamentarians need to better understand the specific types of activities that are currently authorized and which could be authorizable under the proposed CSE Act.
Even then, assurance from the Establishment that it has no intention of pursuing these types of controversial operations is hardly comforting if its current legal framework—or the proposed CSE Act—will give it the latitude to do so in the future. Governments change, and if Parliament’s intention is not to allow the CSE to engage in these types of activities, then Bill C-59 should be amended to foreclose that possibility. If it is their intention to authorize these, that should be clarified for the public so that a meaningful, robust public debate on Bill C-59 is possible.
Lex Gill is a Research Fellow at Citizen Lab. Christopher Parson is Managing Director of the Telecom Transparency Project and a Research Associate at the Citizen Lab.