The Communications Security Establishment Act gives Canada’s signals intelligence and cybersecurity agency its own governing Act for the first time (find out more about CSE here).
Currently, the CSE’s role is sketched out as part of the the National Defence Act, and information about its activities is quite sparse: the current law defines CSE’s three-part mandate broadly, gives minimal guidance about what type of activities CSE is to undertake, and provides for little in the way of oversight or review. Conversely, the proposed CSE Act outlines specific activities that CSE will undertake, and weaves better oversight and review processes into CSE’s authorization mechanisms. Having more information about how CSE works built into public law is a noted improvement over a system of secretive Ministerial directives. However, Bill C-59 shouldn’t be a rubber stamp for CSE’s past conduct. Canada needs a meaningful debate on the extent of and limits on CSE’s powers. In some cases it is unclear to what degree the CSE Act gives CSE new powers, and to what extent it is just giving them statutory authority for activities in which it is already engaged. What is clear, however, is that C-59 is an opportunity for people in Canada to take a look at all of these powers and have a conversation about which are necessary, and which go too far.
In addition to maintaining CSE’s three traditional mandates (signals intelligence, cybersecurity, and assistance to other national security and law enforcement agencies), the CSE Act adds sections on both active (offensive) and defensive cyber operations.
While other jurisdictions are considering whether it makes sense to give the same people tasked with finding and fixing dangerous vulnerabilities in digital infrastructure (defensive operations) the competing role of exploiting such vulnerabilities for strategic gain (active operations), the CSE Act gives Canada’s cyber spies the responsibility to do both, without clear guidance on how to decide which role to prioritise in different situations. This includes powers to gain access to computer systems; acquire, change, or delete information; maintain the secrecy of activities; and introduce new vulnerabilities into networks. In other words, the CSE Act is an endorsement of state-sponsored hacking, with minimal oversight for activities that have the ability to profoundly interfere with the security of networks and Charter-protected rights.
The provisions of the CSE Act which require CSE to act in a privacy-protective manner don’t apply to the active and defensive cyber operations mandates. The hacking provisions in Bill C-59 also have troubling implications for freedom of expression and other rights, allowing CSE to interfere with communications tools (such as encryption and anonymity software) that are vital to the protection of human rights in the digital age.
The CSE Act provides that activities must not be “directed at” Canadians or persons in Canada (except if providing technical and operational assistance to other agencies). However, by focusing on the intent behind the activity (who was targeted) instead of the result of that activity (who was impacted), the Act leaves room for Canadians or people in Canada to be collateral damage in CSE’s operations. The CSE Act also includes troubling new exceptions facilitating the warrantless collection of so-called “publicly available information,” which we discuss below, and which has important implications for the privacy rights of Canadians and persons in Canada. CCLA is concerned that this definition appears to cover everything from public social media profiles, to the purchase of data from third parties (however they acquired it), to data dumped by hackers on the dark web.