A close look at the proposed “CSE Act”

The Citizen Lab is releasing a new report today, in collaboration with our partners at the Canadian Internet Policy & Public Interest Clinic (CIPPIC), entitled, “Analysis of the Communications Security Establishment Act and Related Provisions in Bill C-59.”

The 75 page report provides a detailed overview of Canada’s SIGINT agency, the Communications Security Establishment (CSE), an analysis how the Liberal government’s new proposed national security legislation, Bill C-59, will impact its mandate, operations and oversight, and some recommendations on legislative and other changes.  

The report was researched and written by our SIGINT working group at Citizen Lab that includes (along with myself) Christopher Parsons, Lex Gill, and Bill Robinson, and CIPPIC’s Tamir Israel.  

Agencies like CSE are critical to public safety, foreign policy, and national security.  It is essential that they are well-equipped and trained.  However, their extraordinary and far-reaching capabilities and activities present enormous governance challenges for liberal democratic societies.  Much of CSE’s activities are shrouded in secrecy — the most highly classified of any Canadian government agency.   There are obvious good reasons for that secrecy.  But government secrecy without strong independent oversight is a recipe for the abuse of power.

It is important to recognize that CSE does not act alone.  It is part of a large and very powerful global alliance of SIGINT agencies that share data, infrastructure, and personnel.  Among those partnerships the most important is the “Five Eyes” alliance that includes New Zealand, Australia, the United Kingdom and the United States’ massive National Security Agency. These alliances allow Canada to “punch above its weight,” but they can also further obscure CSE’s activities and distance them from proper domestic oversight.

CSE’s expertise is in the area of data collection and analysis — the “signals” of “signals intelligence”  Whereas at one time this expertise was focused on the interception of a relatively narrow band of diplomatic, military, and government communications, today it’s focused on all of society’s communications, all of the time.  This broad sweep may be necessary and justifiable to identify threatening “needles in haystacks” that could wreak havoc. But it also raises tremendous and largely unprecedented civil liberties’ concerns.  At a time when we have turned our digital lives inside out, and carry around in our pockets devices that track our movements, social relationships, and habits, agencies like CSE have been granted extraordinary powers to collect and monitor it all.  Making sure such agencies are checked with thorough oversight and public accountability measures is critical to liberal democracy.

The proposed Communications Security Establishment Act  ( “CSE Act” ) is a major component of the comprehensive national security reforms proposed by the Trudeau government in Bill C-59. Among the many far-reaching implications of the CSE Act, Bill C-59 would add an entire new “mandate” to CSE to engage in “active cyber operations,” which in other words means granting the CSE authorization to engage in state sponsored hacking.  Although CSE has for many years already engaged in such activities, codifying this mission into law as an entirely new mandate will legitimize and undoubtedly amplify them.  The implications of doing so definitely require broad public debate.   

Having CSE engage in state sponsored hacking will (among other things) further the already harmful and opaque practice of hoarding software vulnerabilities as weapons of warfare and intelligence, as opposed to disclosing them to vendors in the interest of public safety; encourage the poorly regulated market for commercial spyware, whose harmful consequences the Citizen Lab has extensively documented; and contribute to the normalization abroad of the already dangerously escalating militarization of cyberspace, including the spread of state-sponsored disinformation campaigns.  For a heavily networked country so dependent on global communications, Canadians should seriously debate what is most in our national interest: to contribute to an already escalating arms race in cyberspace, or to be a force for mutual restraint and the control of weapons instead?

Our 75 page analysis raises numerous issues of concern for CSE around Bill C-59, as well as outlines over 50 recommendations to improve systems of review, oversight, and control of the CSE and to constrain the CSE’s ability to engage in activities that are problematic, abusive, unconstitutional, or in violation of international human rights norms.

Our post and a link to the full report can be found here https://citizenlab.ca/2017/12/citizen-lab-and-cippic-release-analysis-of-the-communications-security-establishment-act/.