Threat Intelligence

7/14/2016
10:15 AM
Bruce Cowper
Bruce Cowper
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

What's Next For Canadas Surveillance Landscape?

Edward Snowden headlines SecTor security conference as Canadian privacy advocates await the Trudeau government's next move in the country's complex privacy and security debate.

Edward Snowden’s 2013 revelations of massive state surveillance shocked the world and made it more aware of electronic privacy issues, but north of the border, Canada continues to struggle with its own.

Just over a year ago, the former Conservative Canadian government, led by Stephen Harper, enacted a piece of legislation that enraged privacy advocates. Bill C-51 extended the powers of Canada’s intelligence services, prompting an open letter from over 100 Canadian academics imploring the government to rethink it. Even the federal Privacy Commissioner complained about it.

A year later, we have a new government that has promised to overhaul things. What has been done, and where does Canada’s complex debate over privacy and national security sit now?

C-51 angered privacy advocates by increasing information-sharing powers between 17 government agencies. The Canadian Security Intelligence Service (CSIS), which is Canada’s domestic intelligence agency, can now obtain the tax records of anyone perceived to be a national security threat, for example. The bill also permitted the disclosure of information shared between government agencies to others.

C-51 gave new powers to CSIS. They included the "disruption" mandate, which lets it take measures to reduce threats when it believes they pose a threat to the security of Canada. Legal experts have questioned the wording here, worrying that CSIS gets to determine what constitutes a threat and suggesting that it can legitimize a slew of activities including electronic surveillance without the need for the agency to ask for a warrant.

All of this dismayed Snowden, who has specifically referenced Canada when warning against passing anti-terror laws that curtail civil liberties.


Edward Snowden will be speaking via video link at the SecTor security conference in Toronto at 9 am on Tuesday October 18, and will be taking questions from Dark Reading readers. If you have relevant questions you would like to ask, let the SecTor team know by posting them in the comments section at the bottom of this article. SecTor will be selecting the best to be addressed at the event.


Politically, the Conservative Harper government naturally supported the bill, having introduced it in the first place, while the left-leaning National Democratic Party (NDP) strongly opposed it. The moderate Liberal party, which ended up winning last year’s federal election, came down in the middle, supporting the bill but with some caveats.

Trudeau: Broader oversight, narrower scope
Liberal leader and now-Prime Minister Justin Trudeau voted for the bill but vowed to temper it a little in two broad areas.

The first focal point was oversight. The Liberal government would create a multi-party oversight committee to ensure that CSIS was acting appropriately. Snowden himself criticized Canada for poor spying oversight back in May 2015, not long before the Bill became law.

CSIS hasn’t been entirely without oversight in the past. Traditionally, the body responsible for overseeing CSIS has been the Security Intelligence Review Committee (SIRC). This body typically reviewed a sample of CSIS warrant applications, but in its annual report for 2014-15, it explained that it would have to broaden its review activities to cope with the new powers granted to CSIS under C-51. The Harper Government had already earmarked additional funding to help with this in its 2015 Economic Action Plan.

SIRC explained that it had broadened its scope to cover CSIS’ use of metadata, and had found it wanting in areas including training, policy and procedure, investigative thresholds, and recording its decision-making. SIRC had made some key recommendations in this area that CSIS had not taken up, the report said.

The Trudeau’s concern was that SIRC described itself as a review body, examining past activities, rather than an oversight body, monitoring CSIS operations in real-time.

The Liberal leader vowed to alter this and started to make good on this promise in early 2016. His public safety minister Ralph Goodale has now introduced Bill C-22, which would create a cross-party oversight committee that would oversee almost 20 agencies related to national security.

Mandatory review period
The second problem that Trudeau had with C-51 was with the bill’s scope. He promised to refine some of its language to omit legal protests and advocacy from definition as terrorist activities, and said that he would introduce a mandatory review period for the legislation.

He hasn’t taken these steps at the time of writing, and privacy advocates are awaiting the government’s next move. In the interim, Trudeau has been shuffling. One notable political action was his appointment of a new national security advisor, Daniel Jean, in May this year. Jean replaces former Harper government National Security Advisor Richard Fadden, an ex-director of CSIS, who recently retired.

Jean doesn’t come from the spy community, moving up instead from his role as deputy minister of foreign affairs. Before that, he served in Heritage Canada and the Treasury Board. That may point to a more international intelligence focus at the top and a move away from more hardline domestic intelligence policies. It could be taken as an indicator that the Trudeau government intends to calibrate Bill C-51 to bring it more in line with its new focus.

All this will still be guesswork until Trudeau actually takes steps to change the legislation. An attempt at proper oversight may appease privacy advocates a little, but we still don’t know what will happen to the government’s electronic surveillance powers until a minister stands up in parliament with a proposed amendment.

Even when that happens, it’s unlikely to satisfy privacy advocates who have always called for the repeal of C-51, but they’re unlikely to get much more. After all, the Trudeau government never promised to do away with the thing altogether.

Don’t forget, Edward Snowden will be speaking via video link at the SecTor security conference on October 18, so post your questions in the comments section below.

Related Content:

Bruce Cowper is a founding member of the Security Education Conference Toronto (SecTor), the Toronto Area Security Klatch (TASK), the Ottawa Area Security Klatch (OASK) and an active member of numerous organizations across North America. In his day job, Bruce works for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BruceCowper
50%
50%
BruceCowper,
User Rank: Author
10/17/2016 | 10:50:18 AM
Re: Snowden Keynote
The keynote is currently only being broadcast at the event, both in the keynote hall and expo theatre. You can register for the expo at sector.ca/register.
AmyRobison
50%
50%
AmyRobison,
User Rank: Apprentice
10/17/2016 | 10:28:21 AM
Snowden Keynote
Will Snowden's session tomorrow morning be streamed live or released later online?
AmyRobison
50%
50%
AmyRobison,
User Rank: Apprentice
10/4/2016 | 11:23:13 AM
Question for Snowden
The Secure Exchange of Encrypted Data (SEED) Protocol is a recently patented cybersecurity invention (U.S. Patent Nos. 9,378,380 and 9,390,228) that uses individualized asymmetric encryption in combination with a distributed, interlocking design to secure confidential data that must be shared between organizations. (More info is available online.) The question for Mr. Snowden: Would the SEED Protocol have prevented you from being able to access and leak the NSA documents?
Intel Says to Stop Applying Problematic Spectre, Meltdown Patch
Kelly Jackson Higgins, Executive Editor at Dark Reading,  1/22/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.