If Canadian spies found a flaw in the iPhone, would they tell Apple? Make the policy public, critics say

When Canada's electronic spy agency finds a security flaw in a widely used operating system or a much-loved messaging app, what it does next is anyone's guess. There are calls for that to change.

CSE has ‘responsibility’ to be more transparent about its handling of software flaws says NDP MP Matthew Dubé

It's unclear what Canada's electronic spy agency, the Communications Security Establishment, does when it finds a security flaw in a widely used operating system or a much-loved messaging app. (Douglas C. Pizac/Associated Press)

When Canada's electronic spy agency finds a security flaw in a widely used operating system or a much-loved messaging app, what it does next is anyone's guess. Does it report the flaw to the software's developer so that it can be fixed? Or is knowledge of the flaw saved for the future, when it can be exploited by the agency's spies to gather intelligence?

The Communications Security Establishment (CSE) has a policy governing this process but won't disclose or discuss it. As the government attempts to introduce sweeping changes to the country's national security laws — with new powers for agencies like the CSE — there are calls from both experts and the opposition for that shadowy policy to be laid bare.

The CSE has its own "panel of experts" from across the agency that meets "regularly" to review and assess software vulnerabilities, a spokesperson told CBC News last year, though he declined to elaborate further on the agency's review policy. 

NDP MP Matthew Dubé is one critic who says that has to change.

"I think that they do have a responsibility to provide that kind of information," Dubé said in an interview with CBC News.

NDP MP Matthew Dubé would like to see Canada follow the U.S.'s lead and make the CSE's policy public. (Marc Robichaud/CBC)

Dubé, who is the party's public safety critic, acknowledged that some information may have to be withheld for national security reasons but said there should also be a way to provide more transparency to Canadians on how software vulnerabilities are handled — "especially if we're seeing our allies partake in a similar exercise," he said.

In the U.S., a policy called the Vulnerabilities Equities Process determines what agencies such as the FBI or NSA should do when they discover or acquire knowledge of previously unknown vulnerabilities. The reviews include input from law enforcement and military as well as civilian agencies, such as the departments of Commerce, Energy, and State.

Previous versions of the policy were not publicly available and had to be obtained via Freedom of Information lawsuits. The most recent policy was released by the government last November, and requires an annual, partly unclassified report on outcomes of the review process. 

In recent weeks, Dubé has been spending much of his time before the House of Commons standing committee on public safety and national security seeking clarity on the expanded powers proposed in the Liberal government's new national security legislation, Bill C-59.

"When we're broadening legislation in order to offer these agencies more powers, understanding more about what kind of policies they have in place and how they're going to behave with those powers — I think we have a right to know ... what exactly that entails," Dubé said. "And as far as I'm concerned, we just don't have that right now."

Holding CSE accountable

Different parts of CSE can, at times, be working at cross purposes. Where one group might be trying to infiltrate a foreign target's smartphone by exploiting a newly discovered software flaw, another might argue the flaw should be patched before others discover it first and potentially use it against Canadians.

In Canada, it's not clear which types of vulnerabilities prompt reviews, how many vulnerabilities have been assessed or whether CSE engages other government agencies in its reviews. The spy agency declined to provide a copy of the policy that describes how the process works.

CSE is unable to provide any further details about operational specifics.- Ryan Foreman, spokesperson

"As previously noted, CSE has a rigorous process in place to assess and review vulnerabilities," CSE spokesperson Ryan Foreman wrote in an emailed statement to CBC News. "This is a standardized decision-making process which allows CSE to responsibly manage equities associated with identified vulnerabilities in a way that puts the safety and security of Canada and Canadians first.

"CSE is unable to provide any further details about operational specifics," Foreman said. 

Researchers at the University of Toronto's Citizen Lab have argued that without more information about the agency's policy, it is impossible to know how the agency balances its responsibility to protect Canadians with its mandate to collect foreign intelligence — let alone "hold the establishment accountable if policies which inappropriately restrict responsible disclosure fail to serve the public interest." 

In an analysis of Bill C-59 published last month, the researchers argued that such a policy should be made public — if not enshrined as part of the bill — and that the outcomes of reviews should be released regularly to the public, to the greatest extent possible.

"In the absence of a clear framework for how, when and whether vulnerabilities are disclosed, there is no way for industry or the public to understand under what conditions the CSE would decide to keep such discoveries secret for its own purposes," the Citizen Lab report reads.

When asked if the government's proposed National Security and Intelligence Review Agency (NSIRA‎) would oversee CSE's vulnerabilities process and be provided with regular reports, Foreman would say only that all of CSE's activities would be subject to review if Bill C-59 is passed.

Dubé says the lack of transparency has made it difficult for Canadians to understand what, exactly, it is that the CSE does. But as far as the agency's handling of software vulnerabilities goes, it's Dubé's hope that the "new oversight mechanisms being proposed will help in some way."

About the Author

Matthew Braga

Senior Technology Reporter

Matthew Braga is the senior technology reporter for CBC News. He was previously the Canadian editor of Motherboard, Vice Media's science and technology website, and a business and technology reporter for the Financial Post. Email: matthew.braga@cbc.ca