Bill C-59: Mass Surveillance and Cyber Powers

Read our intro to Bill C-59 here

Bill C-59 makes major changes to Canadian mass surveillance and cyber powers, especially through the new Communications Security Establishment Act, along with amendments to the Canadian Security and Intelligence Service or CSIS Act.

The CSE and mass surveillance

The new Communications Security Establishment Act had us do a double-take since the Communications Security Establishment (CSE) has existed since… World War II.

The CSE’s primary role is monitoring foreign signals intelligence (SIGINT), collecting communications and data that is analysed for national security purposes. The CSE was established during World War II, but remained secret until it was exposed by the Fifth Estate on CBC in the mid-1970s. It was then transferred officially under the control of National Defense Canada, but its three-pronged mandate was only written into law with the first Anti-terrorism act of 2001. It is the most secretive and least known of the three main national security organizations — CSIS, RCMP and CSE — but has played a growing role in national security having expanded to over 2000 staff and built a new campus in Ottawa, inaugurated in 2015.

It’s important to legislate an agency like CSE since it has such powerful electronic spying powers. But we don’t have to accept everything it does, even if it has been doing it for decades. Let’s not forget that in 2012, the CSE spied on Canadians using public WiFi networks in Canadian airports. The agency — and its watchdog — claimed this was ok since they only collected metadata. Metadata is the context of a communication, as opposed to its content. For example, an IP address, an email address, a phone number, the time of a transmission or the location of a device. But we (and they) know that metadata can reveal tons of private information about a person and their life: where they have been, what they believe, who they talk to, etc. The CSE Act still does not consider metadata to be off-limit, so C-59 will allow CSE to sweep up Canadians’ private information, and will basically legislate mass surveillance.

Other issues with CSE surveillance include:

  • Almost all CSE commissioners over the years have found a number of records suggesting that some of the CSE’s activities may have been directed at Canadians, contrary to law, and that a number of CSE records relating to these activities were unclear or incomplete. They were thus “unable to reach a definitive conclusion about compliance or non-compliance with the law”.
  • In 2016, it was revealed that in 2013 the CSE discovered it was sending metadata on Canadians to our Five Eyes allies without the proper scrubbing to hide identities. How many Canadians? We don’t know. It was also revealed that the Conservative government in power at the time knew about the breach and decided to hide it from the Canadian public.
  • CSE is also part of what we call the Five Eyes, an alliance of spy agencies from the US, the UK, New Zealand, Australia and Canada. Officially, these countries do not spy on each other. But it has long been established that the Five Eyes do spy on their allies, and that they exchange information on each other’s citizens. This practice is not being addressed by the new CSE act in Bill C-59.

For more details on the long list of problems with the CSE, check our compilation.

CSE and cyber powers

The CSE Act also grants the national security agency new defensive and active cyber operation powers. “Cyber operations” is basically government-speak for cyber warfare: hacking, disrupting of networks, interference with communications, etc. This is clearly concerning and needs to be examined closely.

Why should we be concerned?

These powers can be triggered solely through a decision by the Minister of National Defense, in consultation with the Minister of Foreign Affairs — it does not require the approval of the Intelligence Commissioner or the Parliament. While there are certain restrictions – the minister may only authorize activities if they cannot be achieved through other methods, and they are limited from causing bodily harm, or subverting justice or democracy – these powers are akin to military actions and must be discussed publicly. Instead, a report on the activities will be shared with the new National Security and Intelligence Review Agency (NSIRA), but with no guarantees that there will be public reporting on these activities.

What could these activities entail? According to the bill, they could include “installing, maintaining, copying, distributing, searching, modifying, disrupting, deleting or intercepting anything on or through the global information infrastructure” and “carrying out any other activity that is reasonable in the circumstances and reasonably necessary in aid of any other activity, or class of activities, authorized by the authorization.” As you can see, these provisions allow for an incredibly broad range of activities.

On November 12, the New York Times reported that there had been a major leak of NSA’s cyberweapons which were than in turn used to hack businesses and civilians worldwide. So not only can offensive hacking make us unsafe because of potential retaliation, these cyberweapons could be leaked and we could become targets of criminals.

The following issues should be addressed and fixed:

  • The CSE’s mandate would now mix international affairs, national defense and national security, making it way too large.
  • The Defence Minister’s ability to decide on offensive cyber operations is way too broad and, like other military actions, should be debated in Parliament.
  • Unless it is absolutely necessary and pre-authorized with a warrant, the CSE should not be allowed to collect “publicly available information” – which it could also buy from data brokers, with our tax dollars!, encouraging that damaging practice.
  • The privacy protections are badly defined and too weak; they must be improved.
  • The Minister’s authorizations of mass surveillance should only be approved if they are “necessary”, not merely reasonable.
  • There should be some clarity about CSE’s role in the Five Eyes alliance and allies should not be able to spy on each other’s citizens because they cannot spy on their own.
  • A definition of metadata needs to be included in the act and there should be robust restrictions on its collection and retention as they constitute mass surveillance.

CSIS and mass surveillance

While C-59 proposes a lot of important changes to the CSIS Act, here we’re just going to focus on changes related to surveillance, also known in the bill as data collection, retention and exploitation.

Historically, CSIS has engaged more in what is called HUMINT – human intelligence: going out and collecting information in person on targeted individuals. Over the years, though, they have become much more engaged, like the CSE, in SIGINT: signals intelligence. Unlike the CSE, they are allowed to collect data inside Canada and about Canadians. However, CSIS is supposed to limit the information that they keep to what is directly related to a particular target or investigation – extraneous information should be destroyed. In 2016, though, a federal court judge found that CSIS, through it’s Operational Data Analysis Centre (ODAC) program, was illegally spying on Canadians for over a decade. It was an intense betrayal of trust, with the courts finding that CSIS had broken its duty of candour – essentially, its responsibility to tell the truth.

Instead of restricting these activities, C-59 is basically enshrining them into law. It’s creating the concept of « datasets », or categories of information CSIS is allowed to collect – with the Minister of Public Safety’s authorization, and the Intelligence Commissioner’s approval.

On top of all that, C-59 allows the collection of data “relevant to the performance of CSIS”, which is too broad, it allows the collection of datasets that do not directly relate to activities that are a threat to the security of Canada, and it allows datasets that are publicly available to be « retained, queried and exploited ».

CSIS and immunity from the law

Another addition to the CSIS act that has us very concerned are the « Classes of acts or omissions ». Bill C-59 defines them as follows « Classes of acts or omissions: The Minister shall determine those classes that would otherwise constitute offences but that designated employees may be justified in committing if the Minister thinks that is reasonable in relation to CSIS duties and threats to the security of Canada. »

This means that the minister can decide what laws CSIS can either break or ignore with immunity from the law. These classes that would otherwise be offences could encompass A LOT of acts and could once again lead to a lot of abuses, especially for a spy agency that mostly operates in secret. This is a law enforcement power (that should be debated as well) and it shouldn’t be given to secretive spy agencies.

In brief, the following issues should be addressed and fixed:

  • C-59 legalizes unnecessary data collection and retention and it shouldn’t.
  • The article allowing the collection of data “relevant to the performance of CSIS” is too broad and should be removed.
  • The section that allows the collection of datasets that do not directly relate to activities that are a threat to the security of Canada should be removed (seriously why is this even allowed if the data is not related to a security threat??)
  • Datasets that are publicly available should not be « retained, queried and exploited »
  • The section on immunity of otherwise unlawful acts or omissions should be removed.

Concerned about these issues and want more protections for your human rights in the context of national security? Sign on to our action!

Since you’re here…

… we have a small favour to ask. Here at ICLMG, we are working very hard to protect and promote human rights and civil liberties in the context of the so-called “war on terror” in Canada. We do not receive any financial support from any federal, provincial or municipal governments or political parties.

You can become our patron on Patreon and get rewards in exchange for your support. You can give as little as $1/month (that’s only $12/year!) and you can unsubscribe at any time. Any donations will go a long way to support our work.panel-54141172-image-6fa93d06d6081076-320-320You can also make a one-time donation or donate monthly via Paypal by clicking on the button below. On the fence about giving? Check out our Achievements and Gains since we were created in 2002. Thank you for your generosity!