Display Binary Bytes Code by Markus Spiske / ffcu.io  Creative Commons Zero – CC0 – Public Domain

Display Binary Bytes Code by Markus Spiske / ffcu.io Creative Commons Zero – CC0 – Public Domain

News

Five Eyes Wide Open: How Bill C-59 Mixes Oversight with Expansive Cyber-Security Powers

Four years ago, Edward Snowden shocked the world with a series of surveillance disclosures that forced many to rethink basic assumptions about the privacy of online activities in light of NSA actions. In the years that have followed, we have learned much more about the role of other countries – including Canada – in similar activities (often in partnership with the NSA). The legality and oversight over these cyber-related programs fell into a murky area, with legal challenges over metadata programs, court decisions that questioned whether Canadian agencies were offside the law, the hurriedly drafted Bill C-51 that sparked widespread criticism, and concern over the oversight and review process that many viewed as inadequate.

Yesterday, the Liberal government unveiled Bill C-59, the first genuine attempt to overhaul Canadian surveillance and security law in decades. The bill is large and complicated, requiring months of study to fully assess its implications (reactions from Forcese/Roach, BCCLA, CBC, Wark, Amnesty). At first glance, however, it addresses some of the core criticisms of the Conservatives’ Bill C-51 and a legal framework that had struggled to keep pace with emerging technologies. Leading the way is an oversight super-structure that replaces the previous silo approach that often left commissioners with inadequate resources and legal powers. The government has promised to spend millions of dollars to give the new oversight structure the resources it needs alongside legal powers that grant better and more effective review of Canadian activities.

Bill C-59 also places some CSE activities under quasi-judicial control for the first time in its history. A newly created Intelligence Commissioner (a former judge) must authorize some Communications Security Establishment activities as “reasonable” before CSE can undertake these activities, establishing meaningful independent oversight over a set of activities that were previously at the discretion of the Minister of National Defence. The new quasi-judicial control could use some tweaking, however, since it is limited by its secrecy (the body only provides its reasoning to the government and the new intelligence oversight agency) and the absence of appeal mechanisms.

Better oversight alone does not effectively address the privacy-security balance, however. The bill goes beyond fixing longstanding oversight shortcomings by also seeking to address some of the hot button concerns that emerged from C-51. The bill seeks to scale back on disruption powers, narrow the terrorism propaganda provision, and alter the much-criticized provisions that might have been applied to public protests. It does not, however, address the serious concerns about information sharing within government that create a “total information awareness” approach. The failure to fix information sharing isn’t a huge surprise – the Liberals were supportive of it during the C-51 discussion – but it is nevertheless a disappointment that leaves a major privacy concern largely intact.

The bill also notably avoids diving back into the lawful access debate. The government’s consultation paper last year placed the issue back on the agenda, raising the possibility of new disclosure warrants and new rules on encryption. Bill C-59 does not touch those issues, suggesting that the government, law enforcement, and civil society continue to struggle to find common ground that would both address law enforcement concerns and remain consistent with the Supreme Court of Canada’s Spencer decision. Lawful access is far from dead – a bill may still be forthcoming – but it remains on the back burner for now.

Yet the aspect of the bill that may require the most careful study is the reshaping of the mandate and powers of the CSE and the expansion of CSIS activities online. The CSE has been at the forefront of cyber-related issues from an operational perspective, but the mandate identified in the National Defence Act required a broad interpretation to make all of its cyber-security activities fit. The mandate states:

The mandate of the Communications Security Establishment is

(a) to acquire and use information from the global information infrastructure for the purpose of providing foreign intelligence, in accordance with Government of Canada intelligence priorities;

 (b) to provide advice, guidance and services to help ensure the protection of electronic information and of information infrastructures of importance to the Government of Canada; and

(c) to provide technical and operational assistance to federal law enforcement and security agencies in the performance of their lawful duties.


Further, the current mandate limits the geographic scope of CSE activities:

Activities carried out under paragraphs (1)(a) and (b)
(a) shall not be directed at Canadians or any person in Canada; and

(b) shall be subject to measures to protect the privacy of Canadians in the use and retention of intercepted information.


Bill C-59 explicitly confirms that the CSE is a cyber agency wielding both offensive and defensive powers and granting it the ability to operate in Canada. This may embolden the CSE to engage in foreign government hacking, access information from domestic Internet companies, and disrupt communication activities.

The new mandate identifies five broad activities: foreign intelligence, cyber-security and information assurance, defensive cyber operations, active cyber operations, and technical and operational assistance. Given that foreign intelligence and technical/operational assistance are holdovers from the prior mandate, the new mandate reinterprets advice, guidance and service to include offensive and defensive cyber operations along with cyber-security.

The active cyber operations should capture particular attention since it signals Canada’s willingness to actively engage in hacking activities globally:

The active cyber operations aspect of the Establishment’s mandate is to carry out activities on or through the global information infrastructure to degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group as they relate to international affairs, defence or security.

Bill C-59 limits these cyber operations by providing that they “must not be directed at a Canadian or at any person in Canada.” CSE’s historical defensive operations remain limited because they “must not be directed at any portion of the global information infrastructure that is in Canada”, require Ministerial authorization, and approval from the newly created Intelligence Commissioner. Its newly recognized offensive cyber-operations face similar limitations. However, these limitations do not apply in all circumstances, including activities involving acquiring or analyzing publicly available data or cybersecurity, software, and systems testing.

The challenge of the bill will be to sort through the implications of these provisions. In recent years, there have been many disclosures about Canadian involvement in surveillance activities such as the surveillance of airport wifi or uploads and downloads to Internet storage sites. Would the new provisions explicitly permit such activities?  Consider the combination of an expansive definition of infrastructure and a full mandate to acquire, use, analyze, retain or disclose infrastructure information for purposes such as research and development, testing systems, or cyber-security activities. The definition of infrastructure includes:

(a) any functional component, physical or logical, of the global information infrastructure; or
(b) events that occur during the interaction between two or more devices that provide services on a network – not including end-point devices that are linked to individual users – or between an individual and a machine, if the interaction is about only a functional component of the global information infrastructure. 

It does not include information that could be linked to an identifiable person.

This would appear to open the door to active participation in widespread network surveillance activities and the acquisition of network traffic for the purposes of analysis, testing, retention, or disclosure. These activities would not require authorization. With ministerial and Intelligence Commissioner authorization, the CSE can be authorized to hack into the network, install or distribute anything on the network, and do anything to remain covert. It may be even be authorized to carry “unselected” foreign intelligence acquisition – the same mass surveillance the NSA has been criticized for – so long as these activities are not directed at Canadians. There are some limitations on authorizations, which can last for up to one year. Extensions of the ministerial authorization is not subject to authorization by the new Intelligence Commissioner. The CSE or government’s view of an identifiable person is uncertain, raising questions about whether key digital identifiers such as IP addresses are identifiable in their view.

Not to be overlooked is the significant expansion of CSE’s domestic cybersecurity defence mandate. The agency can now acquire Canada data and interact with designated Canadian infrastructure or electronic information for the purpose of cyber-defence (designated “cybersecurity and information assurance” activities), granting the agency a significant new role in domestic private sector cybersecurity. The Minister and Intelligence Commissioner must authorize such activities before CSE can engage in them.

However, under Bill C-59, CSE is also granted near limitless discretion to evaluate any system for vulnerabilities (including private sector Canadian systems or systems with extensive Canadian data) under its cybersecurity mandate. No authorization is required from either the Minister or the Intelligence Commissioner to carry out such activities, although presumably CSE would still be limited by wiretapping and anti-hacking protections in the Criminal Code when accessing domestic systems without explicit authorization.

The CSIS provisions expand the collection of datasets that may also have significant cyber-implications. The bill states that CSIS may only collect a dataset if it is publicly available, belongs to an approved class, or predominantly relates to non-Canadians who are outside Canada.  This third category on datasets relating predominantly to non-Canadians would seemingly cover major social media and search datasets from the U.S. that include millions of Canadians but do not relate predominantly to Canada. This new scheme comprises a somewhat more tailored attempt to resurrect CSIS metadata program the Federal Court recently shut down as “unnecessary.”

Proponents will argue that these cyber-related provisions simply reflect the reality of global communications today and participation in international networks such as Five Eyes. However, Canada’s participation in these networks and the embrace of a more muscular cyber-security strategy should be done with our eyes wide open, recognizing that with explicit authorization for offensive hacking of foreign governments and massive network data collection, Canada is now an active participant in the network disruption and surveillance programs whose revelation shocked many only a few years ago.

8 Comments

  1. Pingback: keep pushing on C-51! – Wake Up To The Truth

  2. The famous cartoon from the New Yorker with caption “On the internet, nobody knows you’re a dog.” comes to mind. Not because of the reference to the effects of anonymity on some people, but because on the internet, nobody knows you’re a Canadian. There is a fundamental flaw in the whole premise (and promise) that the CSE surveillance “shall not be directed at Canadians or any person in Canada”. They cannot know whether a communication is from a Canadian nor that the person is in Canada any more than they can know if it’s a dog.

    It is a sad situation that their claims and talk are even taken seriously by the public. Do a simple traceroute to some of the places you normally go and see how often your communication traverses the USA. Your email, your financial information (if you use HR Block for eg.) and much more is stored on US servers and transits US routes. Beyond that, many of us don’t use an IP that is registered in Canada and GeoIP is a myth in the first place. Our packets do not carry a Canadian identity. That the fundamental assumptions of Bill C-59 are false is probably known to some of the architects – which would make them qualify for the term “evil”. Others may just be naive and unfamiliar with the internet. Neither is acceptable.

  3. I’ reminded of their ability to perform period.
    seen the reports ion consolidating, say websites?
    payroll?
    how many billion dollar boondoggles in DBs?

    snerk, The PO using uber yet?

    what I do expect is another attempt to make linux illegal.

  4. Pingback: Critics say Bill C-51 reforms don’t go far enough to protect Canadian privacy – High Tech Newz

  5. My family and I are still under surveilance by Canadian Intelligence and they are still harassing us and they are actively hacking our network here in Burlington Ontario. We are dealing with Cogeco cable internet and they are actively hacking my wife and I and our children and trying to stop us from earning money online. We are constantly finding Rootkits on our operating systems and they are hacking our emails and deleting emails they send us trying to force us to leave Canada. They try to provoke us in public into confrontations with them and they are spreding false information about use to people in our community.

    We are still livng in a motel room with our children going on 8 years now and they are tryng to force the motel to kick us out and they are stealing our mail still to try to deny us an address to collect mail for our Access To Information requests. They have contacted Cogeco cable and had our cable disconnected for no reason at all and they tried to have our internet disconnected also. We use the Food Bank for food every month and they contacted the Food Bank and tried to get us banned from using their service. We are on government disability and they contacted the Food Bank and told them we were lying about being disabled and the Food Bank told us that are children are able to work so we are not allowed to have food for them and they altered our file at the Food Bank and put down fake names for my wife and I to try to make it look like we were trying to defraud the food bank.

    We found out through Revenue Canada and the Ontario Courts and the RCMP that when we were in BC from 2009 – 2016 they where impersonating me Michael Rodger Heroux to make it look like I was seperated from my wife Ingrid Van Eyk and that I was living in Ontario with my daughter and that I negotiated a harassment and an attemped murder and fradulent 30-08 Terror Warrant settlement with the Ontario Government that obviously we knew nothing about and that is why they tried to murder us when we returned to Windsor Ontario in January of 2013. They didn’t want the Courts to find out about the illegal settlement deal they signed with the Ontario Government on my behalf. They thought they would of got rid of us before we even left BC which that is why they tried to hold us in BC against our will.

  6. Mario Hernan Pailamilla says:

    May I have a copy of Bill- C 51. Thank you.

  7. Pingback: Episode 006 – 2 Dropped Tables and a Microphone

  8. Pingback: Canada's new national security bill: one step forward, two steps back? - RONALD DEIBERT