In its fight against Chinese espionage and other cyberthreats, Canada’s electronic-intelligence agency intercepts citizens’ private messages without judicial warrants.
A 22-page “Operational Procedures for Cyber Defence” document obtained by The Globe speaks to just how Communications Security Establishment Canada (CSEC) can log, store and study volumes of electronic communications that touch government computer networks – including the “private communications” of Canadians not themselves thought to be hackers.
Full details about the tradeoffs involved in CSEC’s operations are known only to one outsider – Minster of National Defence Rob Nicholson, the official who approves such surveillance, and who is provided with statistics about its risks.
Critics fear that sweeping measures meant to curb hacking could make collateral damage of Canadians’ privacy – particularly for citizens who frequently engage with the government online.
“We need to start asking a lot of questions about how the cybersecurity part of the CSEC mandate is being carried out,” said Tamir Israel, a lawyer at an Internet-policy think tank in Ottawa.
Intelligence officials, who say they never “target” Canadians, argue they need to make use of domestic communications to pinpoint threats.
“We take strict measures to protect the privacy of Canadians,” said Ryan Foreman, a spokesman for the agency. “… The total number of private communications used and retained is classified,” he said, but added that CSEC only keeps such messages “if they contain or are suspected to contain malware or other threats.”
Hackers hide themselves in many ways, by using roundabout paths to approach computer networks, by breaching firewalls with Trojan-horse programs or by lurking inside systems to quietly remove sensitive documents.
Some hacking is sponsored, or encouraged, by foreign nations. A Chinese national was arrested in Vancouver last month on U.S. charges of directing a sophisticated cyberespionage ring, one that allegedly compromised computers in Singapore, Korea and the United States, just to help steal military documents in California.
This week, Ottawa officials announced CSEC had “detected and confirmed a cyberintrusion” and called out Beijing, publicly, for espionage for the first time. China is denying it, but “there is no doubt as to the source of this particular attack,” Prime Minister Stephen Harper told reporters Wednesday.
CSEC, whose main job is to spy on foreigners for Ottawa, is also responsible for safeguarding government computer systems.
While it is a crime for other federal agents to snoop on Canadians’ private communications without a warrant, CSEC has a get-out-of-jail-free card. In 2001, Parliament passed a law saying its interceptions are beyond Criminal Code constraints, so long as the politician running the Defence Department signs what’s known as a “ministerial authorization.”
Not much is known about how such powers have been used over the past 13 years, beyond giving CSEC leeway to intercept citizens’ full communications without criminal consequence. (Grabs at telecommunications traffic, or “metadata,” are accomplished by CSEC under different legal reasoning.)
Seeing interception of private communications as an inevitability, CSEC takes pains to handle them with care. The cyberdefence operations document says strict steps must be followed, not just by CSEC employees, but also by outside contractors and “secondees” from other agencies.
The process starts when a federal “client” department writes CSEC requesting a cyberdefence operation. The spy agency then warns of how its tools may risk intercepting private communications. Captured communications considered private can be retained, analyzed or even shared by CSEC if they meet the threshold of being either “relevant” or “essential.” Any “Canadian identity information” is usually kept secret in such exchanges.
While retention periods for the intercepts exist, details are redacted from the materials obtained by The Globe.
During the late 2000s, CSEC’s watchdog agency pointed out that it had several issues with cyber defence practices and, more broadly, the ministerial authorizations that gave rise to them. A retired judge in charge of the office highlighted questionable interpretations of open-ended legal language that could obscure the breadth of activities, and also found some incidences of inappropriate retention and sharing.
Questions were also raised about whether CSEC’s cyber defence probes could generate spinoff Canadian police investigations should any incidences of criminality be uncovered. The policy document obtained by The Globe, written in 2011, says that today any such discoveries “must be controlled and shared on a strict ‘need to know’ basis.”
In its 2006 annual report the watchdog office subtly warned Canadians that communications with the federal government could be considered fair game.
“Individuals conducting personal and business affairs with the government of Canada have a reasonable expectation of privacy. However when the security of government computers systems and networks is being tested, personal information or private communications can be inadvertently intercepted.”
A former head of CSEC John Adams put matters more starkly when he told The Globe last year that he reined in CSEC cyber defence program in the late 2000s for “being a little too loose.”
Without speaking to details, he cautioned that it was just about impossible for the agency not to touch citizens’ communications when dealing with hacking threats.
“Protecting Canada means you’re going to be hitting Canadians,” he said.