Spy agency exec calls for debate on encryption
Canadians urged to question online security and privacy when using digital devices
OTTAWA— Canadians are being encouraged to ask more questions about the security of their electronic devices from an unlikely source — an executive at the country’s electronic intelligence agency.
Scott Jones, the deputy director of IT security at the Communications Security Establishment (CSE), said Canadians need to start taking a greater interest in how their electronic devices protect personal information.
“We should be asking when we go and buy the stuff we have at home, OK, tell me how it’s being protected,” Jones said in an interview.
“If it’s my cellphone, does it have encryption if I lose it? Can somebody just read the data off of it or not? We need to start asking questions like that . . . We need to start helping each other, and helping citizens, helping businesses, helping the government. When we’re buying these products, they need to be secure by default.”
It may come as a bit of a surprise to hear an employee at CSE counselling Canadians to protect private information. The agency was thrust into the spotlight after U.S. whistleblower Edward Snowden’s disclosures.
CSE is part of the Five Eyes security alliance, which includes spy agencies in the U.S., the United Kingdom, Australia and New Zealand. Snowden’s disclosures revealed the mass surveillance programs used by those countries, including programs that scooped up their own citizens’ data.
Jones’s comments also come as law enforcement agencies in the U.S. and Canada are forcefully arguing for the need to limit encryption — calling for so-called “back doors” that would let authorities decode citizens’ data.
The argument is that encryption helps bad guys — terrorists, organized crime, child pornographers — hide their tracks. The everyday uses for encryption, such as protecting credit card transactions, safeguarding personal messages, or protecting sensitive government documents, are brought up less often.
When this is pointed out, Jones agreed the debate is a difficult one to resolve.
“I don’t take it personally, because I think it’s a really important question,” Jones said. “(We need) a rational debate over the tools that law enforcement needs to do its job, right? I trust law enforcement to keep me safe, but I also trust the legal system to protect my privacy as well, and to find a balance. But we haven’t been able to have those conversations in this country (yet).”
Christopher Parsons, a researcher at Citizen Lab at the University of Toronto, said there are very good reasons that CSE might want to encourage Canadians to take their security more seriously online. Parsons pointed to a recent cyberattack where hackers harnessed everything from hijacked security cameras to Internet-connected baby monitors to launch one of the most powerful attacks in the Internet’s history.
“I think that CSE, along with other agencies, are just really becoming aware of the implications of the unsecured Internet of Things in particular,” Parsons said in an interview Saturday.
“They’re pretty mindful of the implications of if we have this (Internet) infrastructure all around . . . just what a nightmare it’s going to be for them, both in terms of defending government systems, but also in terms of just trying to figure out how the hell they’re going to protect themselves.”
Parsons said it was an encouraging sign that CSE, whose very existence was considered a state secret at one time, is actually talking about these issues publicly.
The Liberal government is currently in the middle of a review of both its cybersecurity policies and Canada’s overall defence policy — two reviews that could have serious implications on CSE’s future role and mandate.
Whatever the outcome of those reviews, “cyber” issues will only grow in importance. The government will continue to look to protecting their own networks, while considering how much access authorities should have to other peoples’ information. Jones said that already “cyber” is too big for any one government actor to handle on its own.