CSIS, Bill C-51 and Canada's growing metadata collection mess
Canadian public has put issue of cyber privacy on backburner, Steven Zhou writes
Much has been made over whether the Canadian Security Intelligence Service, Canada's spy agency, should be armed with broader powers to "disrupt" what it perceives as terrorist plots.
A report tabled this month by the Security Intelligence Review Committee, which watches over CSIS's work, notes that while the spy agency hasn't abused its new powers of disruption, its bulk data collection program needs to be scaled back.
It's easy to think of CSIS and other spy agencies as shadowy organizations that carry out James Bond-like "missions" involving cool gadgets and high-tech weaponry, but the Snowden leaks, among other revelations, have shown the public that metadata collection (online communications, phone logs and other electronic exchanges that can be intercepted in enormous amounts) now constitutes the state's primary instrument of control.
Privacy Commissioner Daniel Therrien recently called upon legislators (the Liberals in particular) to amend certain aspects of Canada's national security laws in order to address the issue of metadata collection.
In particular, Therrien referred to the Communications Security Establishment, which seems to get a lot less public scrutiny than CSIS. The CSE is responsible for collecting massive volumes of foreign communications through "signals-intelligence," (or "sigint"), but also tends to drag up large amounts of Canadian metadata as well, which it isn't supposed to be doing.
Illegal sharing of data
This is also a point that Jean-Pierre Plouffe, the commissioner who provides oversight for the work the CSE does, has consistently made. Plouffe tabled his annual report earlier in the year and revealed that the CSE illegally and inadvertently shared a large amount of metadata with Canada's "Five Eyes" intelligence allies: the U.K., U.S., New Zealand and Australia.
The shared metadata could have included the private communications information of Canadians. He noted that there's no way to tell exactly how long the CSE has been doing this, and that the agency has also been buying faulty software that should have worked to protect people's privacy.
Given the amount of work and data collection that CSIS and the CSE both do, it's hard to see how each agency's mandate should be expanded without a corresponding expansion of the powers of watchdogs who monitor their work.
Under Stephen Harper, the Security Intelligence Review Committee wasn't even fully staffed, and for all their promises to reform Canada's national security apparatus, Justin Trudeau's Liberals still haven't released any details about how they want to do that.
Meanwhile, Therrien's report also reveals that many government agencies didn't go through with the proper protocol to assess whether they have the necessary infrastructure in place to protect people's privacy, as each department is given more leeway to share this data with each other.
This is one of the main features of Bill C-51, which is the same omnibus bill that gave CSIS their new powers to "disrupt."
Therrien reported that as each government agency is given permission to share data with other agencies, the responsible thing would have been to assess how these newly acquired capabilities would impact Canadians' privacy. Rather than carry out this assessment and look out for the Canadian people, many agencies that acquired this power under C-51 simply chose not to do them.
Therrien stressed that the information-sharing regime mandated by C-51 is "unprecedented" in its scope and that law-abiding Canadian citizens who aren't under suspicion shouldn't be caught up in it at all. Yet this country's sprawling metadata regime and national security agencies don't seem to have any powerful tools to ensure any meaningful level of privacy protection.
Privacy on the backburner
One can, for the moment, leave aside the issue of whether or not the collection of metadata is itself a smart and constitutional thing to do, but even if the answer is yes, there still needs to be a discussion over how to keep the scope of collection within the appropriate parameters. CSIS has since halted (for the time being) its bulk metadata collection programs, but the CSE has not.
And as threats like the Islamic State continue to exist and inspire like-minded terrorists across the world, the Canadian public seems to have put the issue of privacy on the backburner.
This complacency cannot continue if there's to be a meaningful check on the state's power to intrude upon the lives of its citizens.
Steven Zhou is a Toronto writer who has experience in human rights advocacy. He has worked for Human Rights Watch, OXFAM Canada and other NGOs.