Public Safety Committee on Dec. 7th, 2017

May I have an opportunity to answer that question?

We feel that the scheme laid out in Bill C-59, as we said, is an improvement in terms of clarifying what the contours of threat disruption look like and making clearer to both the public and to the service itself what the acceptable and prohibited bounds are. In particular, the addition of prohibited activities, including detention, was in our view quite an important one.

I want to reference that when we expressed concerns about disruption and why this is not being done by law enforcement, some of that has to do with making sure we can effectively prosecute people once we determine they've done something contrary to the law. The other thing is that we've never been particularly concerned about the kind of disruption you mentioned, such as talking to a parent and saying, “Your child's been getting into some trouble.” We're more concerned with some of the items that are now specifically enumerated in the legislation—things like fabricating or disseminating any information, record, or document; altering or removing websites and communications, and things like that. It's helpful, in our view, to have those in the legislation.

We have suggestions for how the warrant scheme might be improved, and we can elaborate on those in our written submissions.

The government's proposed establishment of an act for CSE itself is a huge improvement and innovation over the current situation, where it is embedded in the National Defence Act.

I would say that on cybersecurity in this country, by and large not only do we have our head in the sand, but we need to do much better, especially at the intelligence sharing. The CCTX, the new mechanism to exchange cyber-intelligence, is a good improvement here. One challenge we have had is that CSE is, by law, extremely restricted as to what it can share with the private sector, and under what conditions. In this area, you ultimately need to prevent, anticipate, and have effective and timely intelligence sharing, given how quickly cyber-challenges and threats move. It is integral.

Other countries are much further ahead, if you look at Australia, the Netherlands, Israel, or the United Kingdom. This is what's sometimes known as phase two. If we cannot effectively protect our cyber-infrastructure, that is going to have a deleterious consequence for our economy, because people will only invest in innovation, in R and D, in the Canadian economy if those elements are then also protected. Why would you invest, if that's going to be immediately stolen? We know this country has done particularly poorly on the innovation agenda, and luckily, this government is trying to improve Canada's innovation capacity. That will not be effective if we can't then also ensure that the cyber-domain is effectively protected.

Sorry, Mr. Chair, may I have an opportunity to respond to that question as well?

I would love to. Thank you for the opportunity.

The question was about how Canada's cybersecurity can be improved. I would like to draw the committee's attention to the active and defensive cyber-operations aspects of CSE's mandate, that have been added in proposed sections 20 and 19 respectively. It's our position that the inclusion of these two aspects and the activities that come along with them may actually run counter to Canada's broader security interest.

I would draw the committee's attention in particular to the short list of prohibited conduct in proposed section 33. I think there are at least three fundamental problems with that proposed section. The first issue is that, for reasons that are not clear to us, the explicit limitations for prohibited conduct apply only to authorizations issued under the defensive and active cyber-operations component of the mandate and not to the rest of CSE's activities.

The second issue is that neither “justice” nor “democracy” is defined in the act, leaving the limitation about interfering with the course of justice and democracy vague and open to perhaps creative interpretation.

The third problem is that this short list of prohibited conduct, from our perspective, is radically under-inclusive, and at minimum the committee should compare the list with that in proposed subsection 21.1(1.1) of the CSIS Act with that in proposed subsection 33(1). We are concerned about the broad scope of potential activities that CSE would be able to conduct under these aspects of the mandate. We're not convinced that they've been appropriately justified.

Certainly, we know that allied intelligence agencies have engaged in the past in activities meant to interfere with or undermine encryption on anonymity tools. I think we should be concerned about those types of operations, not just in the course of the testing and infrastructure information aspects under proposed section 24, but more generally in the pursuit of the foreign intelligence mandate. Encryption and anonymity tools are vital to protecting the safety of Canadians and persons in Canada as well as Canadian infrastructure. We should be concerned if CSE ends up inadvertently working at cross-purposes by interfering with the very tools designed to protect us.

I would also raise something that's been raised in the past, which is that there's no public framework for disclosing vulnerabilities. While CCLA doesn't have a concrete position on that yet, it is an open issue, from our perspective.

Right. It's responsible disclosure to ensure that where CSE finds vulnerabilities and where it's appropriate in the public interest to do so, that they are disclosed responsibly in order to protect privacy interests as well as expression interests. This is not just about privacy rights. Of course, these types of technologies, our digital ecosystem is an important guarantor of the right to freedom of expression protected under paragraph 2(b) of the charter as well as broader interests of security and liberty that all Canadians and this committee are very concerned about.

That's something we hope to detail more explicitly in our written submission.

We are concerned about that. The word “incidentally” is defined but the limitation of not directing is not defined anywhere in the act, and that's a concern that experts, including Bill Robinson, have raised in the past. This would help better define the contours of what we mean. Certainly, to the extent that CSE engages in unselected bulk collection, there will be incidental collection of Canadian data. We do have to make sure that explicit, clear, and detailed measures are taken to ensure that this information is handled responsibly where collected.

We are concerned about the ability to extend by the one-year period, but we think it's important that where there's a significant change in the scope of the authorization, it be brought to the commissioner's attention. We think that's important.

We want to also raise that the authorization framework for active and defensive cyber-operations is extremely problematic from our point of view, insofar as those operations have the capacity to significantly interfere with express privacy or security interests of Canadians and persons in Canada and persons elsewhere. We don't believe that ministerial authorization through the minister and the Minister of Foreign Affairs is sufficient. We would prefer to analogize these types of powers to the disruption or reduction powers in the CSIS Act. We note that there is a much more rigorous system for oversight and prior authorization in that context.

I would also note that if the committee decided not to adopt these aspects of the CSE Act that allow CSE to engage in active defensive cyber-operations unbound from other aspects of its mandate, CSE could continue to assist CSIS through its assistance mandate in the course of threat reduction activities.

Thank you.

That will be detailed in our written submissions. For now, what I feel comfortable putting on the record is that we're not comfortable with ministerial authorization alone.