‘Case not made’ for Liberal bill’s vast powers: study
The Liberal government’s ill-defined plan to give Canada’s cyberspy agency wideranging powers to go on the attack against threats could trample civil liberties, warns a newly released analysis.
The report by leading Canadian cybersecurity researchers says there is no clear rationale for expanding the Communications Security Establishment’s (CSE) mandate to conduct offensive operations.
“The case has not been made that such powers are necessary, nor that they will result in a net benefit to the security of Canadians.”
The 71-page report, made public Monday, was prepared by a team of five researchers from the Citizen Lab at the Munk School of Global Affairs at the University of Toronto and the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic at the University of Ottawa.
It delves into intricacies of the sweeping Liberal security bill, tabled in June, that would give the CSE new authority to conduct both defensive and offensive cyberoperations. The report makes 45 recommendations to safeguard privacy and human rights.
The Ottawa-based CSE uses highly advanced technology to intercept, sort and analyze foreign communications for intelligence of interest to the federal government. It is a member of the Five Eyes intelligence alliance that also includes the United States, Britain, Australia and New Zealand.
The Liberal legislation, which followed extensive public consultations, would give the CSE new muscle to engage in state-sponsored hacking and other covert measures. It would be authorized to interfere “with the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group as they relate to international affairs, defence or security.”
In a statement Monday, the CSE said the agency operates in a rapidly evolving technological world and needs updated legislation and expanded licence to respond to those changes and continue to protect Canadians.
However, the newly released analysis says the scope of the planned authority is not clear, nor does the legislation require that the target of the CSE’s intervention pose some kind of meaningful threat to Canada’s security interests.
The previous Conservative government gave the Canadian Security Intelligence Service, the national domestic spy service, the power to disrupt plots that threaten Canada, not just gather information about them. Disrupt could mean anything from defacing a website to sabotaging a vehicle.
The CSIS powers stirred controversy, raising fears of constitutional breaches, and the Liberal bill refines them to ensure consistency with the Charter of Rights and Freedoms.
The analysis says the proposed new CSE powers “have the capacity to be at least as invasive, problematic and rights-infringing” as activities conducted by CSIS in the course of its threat-reduction activities.
The authors recommend the CSE be required to obtain judicial warrants, much like CSIS does, before taking disruptive actions in cyberspace. At minimum, there should be a more robust plan for independent, real-time oversight of the CSE’s offensive activities.
The CSE notes it would be explicitly prohibited from directing active cyberoperations at anyone in Canada or at Canadians anywhere, adding they would be undertaken only when authorized by both the defence and foreign affairs ministers.
It stresses it is a foreign intelligence and cybersecurity organization, not a domestic security or law enforcement agency. “Warrants for law enforcement and security agencies are generally for specific targets or operations that can be directed at Canadians or persons in Canada.”