The Liberal government's ill-defined plan to give Canada's cyberspy agency wide-ranging powers to go on the attack against threats could trample civil liberties, warns a newly released analysis.
The report by leading Canadian cybersecurity researchers says there is no clear rationale for expanding the Communications Security Establishment's mandate to conduct offensive operations.
"The case has not been made that such powers are necessary, nor that they will result in a net benefit to the security of Canadians."
The 71-page report, made public Monday, was prepared by a team of five researchers from the Citizen Lab at the Munk School of Global Affairs at the University of Toronto and the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic at the University of Ottawa.
It delves into intricacies of the sweeping Liberal security bill, tabled in June, that would give the CSE new authority to conduct both defensive and offensive cyberoperations. The report makes 45 recommendations to safeguard privacy and human rights.
The Ottawa-based CSE uses highly advanced technology to intercept, sort and analyze foreign communications for intelligence of interest to the federal government. It is a member of the Five Eyes intelligence alliance that also includes the United States, Britain, Australia and New Zealand.
The secretive CSE has been thrust into the headlines in recent years due to leaks by Edward Snowden, the former spy contractor who worked for the National Security Agency, the CSE's American counterpart.
The Liberal legislation, which followed extensive public consultations, would give the CSE new muscle to engage in state-sponsored hacking and other covert measures. It would be authorized to interfere "with the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group as they relate to international affairs, defence or security."
In a statement Monday, the CSE said the agency operates in a rapidly evolving technological world and needs updated legislation and expanded licence to respond to those changes and continue to protect Canadians.
However, the newly released analysis says the scope of the planned authority is not clear, nor does the legislation require that the target of the CSE's intervention pose some kind of meaningful threat to Canada's security interests.
The previous Conservative government gave the Canadian Security Intelligence Service, the national domestic spy service, the power to disrupt plots that threaten Canada, not just gather information about them. Disrupt could mean anything from defacing a website to sabotaging a vehicle.
The CSIS powers stirred controversy, raising fears of constitutional breaches, and the Liberal bill refines them to ensure consistency with the Charter of Rights and Freedoms.
The analysis says the proposed new CSE powers "have the capacity to be at least as invasive, problematic and rights-infringing" as activities conducted by CSIS in the course of its threat-reduction activities.
The authors recommend the CSE be required to obtain judicial warrants, much like CSIS does, before taking disruptive actions in cyberspace. At minimum, there should be a more robust plan for independent, real-time oversight of the CSE's offensive activities.
The CSE notes it would be explicitly prohibited from directing active cyberoperations at anyone in Canada or at Canadians anywhere, adding they would be undertaken only when authorized by both the defence and foreign affairs ministers.
In addition, the CSE stresses it is a foreign intelligence and cybersecurity organization, not a domestic security or law enforcement agency. "Warrants for law enforcement and security agencies are generally for specific targets or operations that can be directed at Canadians or persons in Canada."
All of CSE's activities would be subject to review by two new agencies – the national security committee of parliamentarians and a proposed intelligence super-watchdog, the cyberspy agency adds.
The analysis cautions that endorsing state-sponsored cyberoperations has serious international implications, and is "likely to legitimize and encourage other states – including those with problematic human rights records – to do the same."