The Liberal government’s ill-defined plan to give Canada’s cyberspy agency wide-ranging powers to go on the attack against threats could trample civil liberties, warns a newly released analysis.
The report by leading Canadian cybersecurity researchers says there is no clear rationale for expanding the Communications Security Establishment’s mandate to conduct offensive operations.
“The case has not been made that such powers are necessary, nor that they will result in a net benefit to the security of Canadians.”
The 71-page report, made public today, was prepared by a team of five researchers from the Citizen Lab at the Munk School of Global Affairs at the University of Toronto and the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic at the University of Ottawa.
It delves into intricacies of the sweeping Liberal security bill, tabled in June, that would give the CSE new authority to conduct both defensive and offensive cyberoperations. The report makes 45 recommendations to safeguard privacy and human rights.
The Ottawa-based CSE uses highly advanced technology to intercept, sort and analyze foreign communications for nuggets of intelligence that are of interest to the federal government. It is a member of the Five Eyes intelligence alliance that also includes the United States, Britain, Australia and New Zealand.
Related: Federal government needs help tackling cyberthreats, internal report warns
The secretive CSE has been thrust into the headlines in recent years due to leaks by Edward Snowden, the former spy contractor who worked for the National Security Agency, the CSE’s American counterpart.
The Liberal legislation, which followed extensive public consultations, would give the CSE new muscle to engage in state-sponsored hacking and other covert measures. It would be authorized to interfere “with the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group as they relate to international affairs, defence or security.”
However, what this exactly means isn’t clear, nor does the legislation require that the target of the CSE’s intervention pose some kind of meaningful threat to Canada’s security interests, the report says.
The previous Conservative government gave the Canadian Security Intelligence Service, the national domestic spy service, the power to disrupt plots that threaten Canada, not just gather information about them. Disrupt could mean anything from defacing a website to sabotaging a vehicle.
The CSIS powers stirred controversy, raising fears of constitutional breaches, and the Liberal bill refines them to ensure consistency with the Charter of Rights and Freedoms.
The analysis says the proposed new CSE powers ”have the capacity to be at least as invasive, problematic and rights-infringing” as activities conducted by CSIS in the course of its threat-reduction activities.
The authors recommend the CSE be required to obtain judicial warrants, much like CSIS does, before taking disruptive actions in cyberspace. At minimum, there should be a more robust plan for independent, real-time oversight of the CSE’s offensive activities.
Related: Human rights, cyber security to be part of Canada-China free trade consultations
They also caution that endorsing state-sponsored cyberoperations has serious international implications, and is ”likely to legitimize and encourage other states — including those with problematic human rights records — to do the same.”
Jim Bronskill, The Canadian Press