Among (many) other things, the highly complex bill grants what some critics are calling “extraordinarily permissive” new powers to Canada’s Communications Security Establishment (CSE).
If Bill C-59 were to pass in its current form, the CSE could become far more proactive, launching cyber attacks abroad and engaging in covert operations that could, in theory, involve everything from impersonation to taking down a foreign electrical grid.
Here at home, Canadians may need to worry about their personal information being scooped up by the agency, in spite of rules designed to prevent it.
Here’s a look at the changes, and how they might affect you.
How exactly are the CSE’s powers being expanded?
If passed, Bill C-59 would immediately expand the CSE’s mandate beyond just information gathering.
CSE employees would, for the first time, be allowed to conduct what the Liberal government calls “defensive cyber operations” and “active cyber operations.”
The “defensive” actions, under the law, would need to somehow protect the government’s online information and cyber-infrastructure, as well as other online information and infrastructure “of importance to the Government.”
So the CSE could, for example, disable a foreign server attempting to swipe social security numbers from a government network.
WATCH: Liberals claim Bill C-59 addresses people misidentified on no-fly list
The active cyber operations, meanwhile, could be carried out to “degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group as they relate to international affairs, defence or security.”
That’s a very broad set of potential targets. It’s also worth noting that — short of bodily harm, murder or the perversion of the course of “democracy” or “justice” (terms that aren’t defined in the legislation) — the CSE would also be allowed to do “anything that is reasonably necessary to maintain the covert nature of the activity” when it comes to its defensive or offensive moves.
In other words, it’s unlikely Canadians would ever find out about them, unless we were to be attacked by a foreign actor in response.
A recent paper authored by researchers at the University of Toronto’s Munk School of Global Affairs called that “extraordinarily permissive.” Would the CSE be allowed to pervert the course of democracy, they point out, if it’s not “democracy” as we define it here in Canada?
“From mass dissemination of false information, to impersonation, leaking foreign documents in order to influence political and legal outcomes, disabling account or network access, large-scale denial of service attacks, and interference with the electricity grid, the possibilities for the types of activities … are limited only by imagination,” the researchers wrote.
Bill C-59 will, however, also establish new or expanded oversight mechanisms for these increased powers.
Before engaging in any of the hacking or other actions described above, the CSE would need to get the green light from the federal defence minister (right now, Harjit Sajjan) and, in the case of actively launching cyber attacks on foreign soil, from the minister of foreign affairs (Chrystia Freeland).
The spy agency will also be required to report the outcomes of all these activities to those ministers.
WATCH: How the Big 4 tech companies are erasing privacy
The CSE would, in addition, be subject to more general oversight by two arm’s-length bodies:
- An Intelligence Commissioner responsible for keeping an eye on multiple security agencies
- A National Security and Intelligence Review Agency
But even here, there are potential problems. The Intelligence Commissioner would not, for instance, need to sign off on “defensive” or “active” cyber operations ahead of time. Those approvals would rest solely with the cabinet ministers. (The commissioner would, somewhat oddly, need to approve certain other CSE actions linked to the agency’s traditional mandate of information-gathering.)
The ministers “lack the impartiality, independence, and objectivity necessary to control the activities of an agency such as the CSE in a judicial manner,” the researchers at the University of Toronto wrote.
Asked about that specific issue, a spokesperson for defence minister Sajjan’s office said Monday that protecting Canadians from terrorism, cyber threats and other threats remains a top priority, and Bill C-59 “will enable the Communication Security Establishment to do just that.”
“As the committee’s study is still underway, it would be premature to comment further on what amendments may be introduced,” spokesperson Byrne Furlong added in an email.
“We hope Bill C-59 will move through Parliament in due course, allowing sufficient time for thorough study and debate.”
One of the key elements of CSE’s mandate has always been that it should focus exclusively on foreign actors. Under the current law, the CSE is forbidden from carrying out any activities directed at Canadians or people in Canada.
FROM THE ARCHIVES: CSE monitored Wi-Fi signals at Canadian airports
Bill C-59 keeps this limitation and then tightens it, applying it to all of CSE’s new “defensive” and “active” operations and specifically forbidding the agency from targeting “any portion of the global information infrastructure that is in Canada.”
But, for a number of reasons, this won’t necessarily protect your privacy.
“It is inevitable that Canadian data will be deeply intermingled with non-Canadian data,” the University of Toronto report notes.
“As the CSE is granted near limitless authority to capture any and all non-Canadian data as long as it operates within its mandate, it is openly anticipated that large volumes of Canadian data will be collected, used, and analysed.”
Another issue is that the proposed legislation does allow for the “incidental” acquisition of information relating to a Canadian or person in Canada. This means that in situations where the information wasn’t deliberately sought, your private data could be captured by the CSE.
Finally, there’s the question of “publicly available information” on Canadians or people in Canada. Because it’s already publicly available, the government believes this information can be collected without infringing on privacy.
But what’s considered “publicly available” might surprise you.
The bill defines it as any information that is published or broadcast for public consumption, but also any information that is accessible to the public on or off the Internet (seemingly regardless of whether it was made available legally or though illegal activity like the infamous Ashley Madison dating-site hack), and information that is available to the public upon request, by subscription or even by purchase.
WATCH: NDP accuses Liberal national security legislation of being ‘draconian’
Facial imagery, posts, photographs, videos, relationships and location data shared via social media could certainly qualify. So might personal data made public by hackers.
In briefing notes obtained recently by The Globe and Mail, the CSE said “this is not an authority to conduct investigations or a means of collecting intelligence” on Canadians, but to conduct “basic research.”
Similarly, during testimony before the public safety committee in November, the CSE’s deputy chief of policy and communications, Dominic Rochon, explained that “we need to understand exactly how the global information infrastructure is actually set up. There is a lot of public information available that explains the infrastructure. What this provision allows us to do is to study that and understand advances in technology.”
Bill C-59 remains before the Standing Committee on Public Safety and National Security, which has two meetings scheduled this week.
After the committee is finished, the bill will return to the House of Commons for a second reading, potentially with significant suggested amendments.