Cyber Insecurity

What we don’t know about Canada’s digital spy agency

Logo for The Walrus

Atop secret report from 2008 was one of the first signs that something might be amiss with Canada’s electronic intelligence gathering activities. Not that they were necessarily unlawful, but, according to retired Supreme Court justice Charles Gonthier—who was tasked with scrutinizing the government’s shadowy cyber spy agency, the Communications Security Establishment—there were areas of concern. At issue was the CSE’s collection of metadata—that is, data about data, such as the duration of a phone call and the recipient’s number, but not the content of the call itself. Gonthier worried that the agency may have been collecting this information inappropriately. If so, it was possible that the CSE was acting outside the bounds of its mandate—not to mention, arguably, violating the constitution.

This was long before revelations of widespread electronic eavesdropping rocked the US last year; in fact, in 2008, few Canadians had likely heard of the CSE (also known as the Communications Security Establishment Canada, or CSEC), our equivalent of the US National Security Agency. Gonthier’s report would have stayed secret, too, but a heavily redacted copy was released in 2013 under a Globe and Mail Access to Information Act request. That it was not made public sooner—that there was never any intention of releasing the report at all—speaks volumes. We face the difficult task of trying to reform a secretive agency without knowing what, exactly, needs reforming.

The CSE is tasked with trawling through the Internet’s troves of digital data—or, as the agency puts it, with gathering foreign intelligence “from the global information infrastructure.” It’s safe to assume that anything sent or received on the Internet is fair game for collection and analysis, all in the name of keeping Canada and its partner countries safe.

This isn’t just tinfoil-hat theorizing; other governments around the world gather similar information. The documents that former NSA subcontractor Edward Snowden has leaked provide an astoundingly clear picture of how agencies such as the NSA and Britain’s Government Communications Headquarters work. As the Guardian reported last year, the GCHQ has tapped more than 200 fibre optic cables—including transatlantic Internet cables linking the UK to Canada and the US—in an effort to siphon chat histories, phone conversations, emails, and more. One of Snowden’s first leaks to the newspaper disclosed that, as recently as April 2013, the NSA had ordered cellular provider Verizon to hand over call records on an “ongoing daily basis.” Still, while new evidence of NSA abuse seems to arise every month, Canadians have largely been left in the dark.

Here’s what we do know. The CSE was founded after World War II as the Communications Branch of the National Research Council, and was renamed in 1975 when it moved to the Department of National Defence. It boasts some of the world’s most talented cryptographers among its 2,200 employees, many of whom will move to the agency’s new $1.2-billion Ottawa headquarters later this year. In 2013, the agency was given a budget of close to $500 million to parse and analyze foreign electronic communications, phone records, public Internet postings, and more.

Legally, the CSE can’t directly target Canadians at home or abroad, but it can collect information—including, with ministerial authorization, private communications—about citizens “incidentally,” while surveilling foreign targets or protecting government systems. The CSE can also assist other law enforcement and security agencies, such as the police, the Canadian Security Intelligence Service, and the so-called Five Eyes intelligence gathering alliance, which includes the US, UK, New Zealand, and Australia.

The CSE has operated its metadata collection program, which scours the Internet for call records and other types of information, since at least 2005; in 2011, then defence minister Peter MacKay renewed it under a ministerial directive. (The NSA operates a similar program—albeit much larger in size and scope—that gathers emails, photos, chat records, and communications logs directly from servers belonging to Google, Yahoo, and other companies.) In April, the British Columbia Civil Liberties Association filed a class-action lawsuit against the federal government, challenging the constitutionality of the agency’s metadata collection practices.

We also know that, in 2012, the CSE tracked people travelling through an unnamed major Canadian airport as part of a trial run for software it developed in partnership with the NSA. (Officials deny that this was a form of spying, since no one was actually identified and the operation was conducted for the sake of research.) As for actual foreign electronic spying—one of the CSE’s core mandates—the agency was reportedly involved in surveillance efforts targeting Brazil’s ministry of mines and energy.

Most of what we know about the CSE comes from the Snowden leaks—which have disclosed details about the NSA’s foreign partnerships—and access to information requests by Globe reporter Colin Freeze. But there are no major whistle-blower here, no cache of documents to consult. And, unlike the US, we lack even a modicum of legislative scrutiny—no oversight committee, no MPs with security clearance. Last year, former privacy commissioner Jennifer Stoddart cited the CSE’s lack of openness as a primary concern, and the controversial new privacy commissioner, Daniel Therrien, while reticent to criticize the agency outright, has called for more public discussion of its activities. Currently, its only gestures toward accountability are reports like Gonthier’s—periodic, classified reviews conducted by retired judges, with a neutered summary released to the public each year.

In June, Liberal MP Joyce Murray tabled the CSEC Accountability and Transparency Act. The private member’s bill would establish a parliamentary oversight committee, composed of six members of the House of Commons and three senators, who could study the government’s intelligence and national security activities in an official capacity. And it would give Canadians a channel through which to complain.

The bill also pledges to strengthen the Office of the CSE Commissioner, in particular by requiring more comprehensive oversight. What this would mean in practice remains unclear, but here are some suggestions: Ministerial directives—such as the one that renewed the metadata program in 2011—should be made public. The agency should disclose incidents in which Canadian citizens’ communications or metadata have been intercepted. We should also know how and from where the CSE collects intelligence—whether it has compromised undersea Internet cables, for example, or the famously tough encryption used for BlackBerry data.

Though Murray’s bill is unlikely to pass, its calls for reform and transparency are largely sound. Even if the agency’s actions fall within the letter of the law—as Gonthier found during his 2008 review—that doesn’t necessarily make them right. Our privacy is at stake. In the absence of a Canadian Snowden, it’s up to citizens to demand answers.

This appeared in the October 2014 issue.

Matthew Braga
Matthew Braga is a Toronto-based writer, editor, and former senior reporter for CBC News.