Canada’s spy agency must be reined in
MPs considering new laws to expand the powers of the Communications Security Establishment (CSE), Canada’s signal intelligence agency, must heed a dire warning found in a treasure trove of surveillance records.
The B.C. Civil Liberties Association (BCCLA) recently published nearly 5,000 pages of documents detailing CSE’s surveillance practices, warning they “paint a picture of a powerful spy agency in dire need of oversight.”
Their publication is timely, with MPs on the House of Commons’ Public Safety committee about to start scrutinizing Bill C-26, controversial cybersecurity legislation that would grant CSE sweeping new powers. The documents raise serious concerns for MPs tasked with reviewing the bill.
First, the BCCLA highlights “how hard CSE pushes up against the edge of legality, and pushes back against even the most reasonable regulation and oversight.” When CSE management previously testified before Parliament, they assured MPs that they respect their strict legal prohibition against spying on individuals in Canada.
In reality, CSE collected vast quantities of our sensitive information, including records of Canadians’ use of Google, Facebook, Instagram and more, while exploiting its security arrangements with government departments to intercept private communications, the BCCLA reported. And, for five years, CSE illegally shared Canadians’ private data with its Five Eyes counterparts in the U.S., U.K., Australia, and New Zealand.
That’s how CSE handles the invasive powers it already has. Bill C-26 pours fuel on this fire, placing CSE at the nexus of Canada’s information-sharing framework and empowering it to obtain and distribute our private information from a swath of federally regulated companies that Canadians trust — including banks, telecommunications providers, energy companies, and airlines, already operating under woefully inadequate privacy rules.
Second, the documents expose a deeply troubling CSE accountability deficit, which persists today, notwithstanding the creation of watchdogs like the National Security and Intelligence Review Agency (NSIRA).
NSIRA seemed like an encouraging step forward — but CSE refused to play ball. As Dr. Christopher Parsons, one of Canada’s foremost experts on surveillance law, writes, “For two straight years, NSIRA has said it’s had problems getting access from the CSE to information that the watchdog uses to confirm the lawfulness of the CSE’s activities.”
And, when NSIRA complained about CSE’s disregard for international human rights law, CSE replied that this was merely a “philosophical disagreement.”
Well the law, and our rights, aren’t here for philosophical creativity. And frustratingly, this culture of disregard for the law permeates CSE to this day.
CSE’s track record is clear. For decades, they’ve played fast-andloose with their legal obligations. When MPs finally created a meaningful oversight body, CSE treated it with utter contempt. How can any MP justify granting extensive new powers to CSE in Bill C-26 when it refuses to be held responsible for those it already has?
CSE costs taxpayers over $850 million a year, yet it remains an agency with a stark accountability deficit, scant respect for the law, and a history of vacuuming up our private information on an unimaginable scale — then sharing it with foreign partners without care for how it may be used.
Now MPs are faced with Bill C-26, which is basically the CSE wish-list bill. If left unamended, Bill C-26 would grant CSE unprecedented access to our private information without any commensurate increase in accountability or transparency, or any safeguards to ensure our information doesn’t end up in foreign hands.
Thankfully, there is a way forward. Before any expansion in CSE powers can be considered, MPs must first fix the current gaping accountability gap.
Even then, any new cybersecurity powers must be strictly circumscribed, limited to the defensive aspect of CSE’s mandate, and subjected to robust parliamentary oversight.
By their actions over many years, CSE has lost the trust of Canadians — yet effective cybersecurity requires broad public support. MPs need to keep these facts front-andcentre when scrutinizing Bill C-26, and fix this deeply flawed legislation so that it delivers the cybersecurity we need while upholding our basic rights.