Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

7/14/2016
10:15 AM
Bruce Cowper
Bruce Cowper
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

What's Next For Canada’s Surveillance Landscape?

Edward Snowden headlines SecTor security conference as Canadian privacy advocates await the Trudeau government's next move in the country's complex privacy and security debate.

Edward Snowden’s 2013 revelations of massive state surveillance shocked the world and made it more aware of electronic privacy issues, but north of the border, Canada continues to struggle with its own.

Just over a year ago, the former Conservative Canadian government, led by Stephen Harper, enacted a piece of legislation that enraged privacy advocates. Bill C-51 extended the powers of Canada’s intelligence services, prompting an open letter from over 100 Canadian academics imploring the government to rethink it. Even the federal Privacy Commissioner complained about it.

A year later, we have a new government that has promised to overhaul things. What has been done, and where does Canada’s complex debate over privacy and national security sit now?

C-51 angered privacy advocates by increasing information-sharing powers between 17 government agencies. The Canadian Security Intelligence Service (CSIS), which is Canada’s domestic intelligence agency, can now obtain the tax records of anyone perceived to be a national security threat, for example. The bill also permitted the disclosure of information shared between government agencies to others.

C-51 gave new powers to CSIS. They included the "disruption" mandate, which lets it take measures to reduce threats when it believes they pose a threat to the security of Canada. Legal experts have questioned the wording here, worrying that CSIS gets to determine what constitutes a threat and suggesting that it can legitimize a slew of activities including electronic surveillance without the need for the agency to ask for a warrant.

All of this dismayed Snowden, who has specifically referenced Canada when warning against passing anti-terror laws that curtail civil liberties.


Edward Snowden will be speaking via video link at the SecTor security conference in Toronto at 9 am on Tuesday October 18, and will be taking questions from Dark Reading readers. If you have relevant questions you would like to ask, let the SecTor team know by posting them in the comments section at the bottom of this article. SecTor will be selecting the best to be addressed at the event.


Politically, the Conservative Harper government naturally supported the bill, having introduced it in the first place, while the left-leaning National Democratic Party (NDP) strongly opposed it. The moderate Liberal party, which ended up winning last year’s federal election, came down in the middle, supporting the bill but with some caveats.

Trudeau: Broader oversight, narrower scope
Liberal leader and now-Prime Minister Justin Trudeau voted for the bill but vowed to temper it a little in two broad areas.

The first focal point was oversight. The Liberal government would create a multi-party oversight committee to ensure that CSIS was acting appropriately. Snowden himself criticized Canada for poor spying oversight back in May 2015, not long before the Bill became law.

CSIS hasn’t been entirely without oversight in the past. Traditionally, the body responsible for overseeing CSIS has been the Security Intelligence Review Committee (SIRC). This body typically reviewed a sample of CSIS warrant applications, but in its annual report for 2014-15, it explained that it would have to broaden its review activities to cope with the new powers granted to CSIS under C-51. The Harper Government had already earmarked additional funding to help with this in its 2015 Economic Action Plan.

SIRC explained that it had broadened its scope to cover CSIS’ use of metadata, and had found it wanting in areas including training, policy and procedure, investigative thresholds, and recording its decision-making. SIRC had made some key recommendations in this area that CSIS had not taken up, the report said.

The Trudeau’s concern was that SIRC described itself as a review body, examining past activities, rather than an oversight body, monitoring CSIS operations in real-time.

The Liberal leader vowed to alter this and started to make good on this promise in early 2016. His public safety minister Ralph Goodale has now introduced Bill C-22, which would create a cross-party oversight committee that would oversee almost 20 agencies related to national security.

Mandatory review period
The second problem that Trudeau had with C-51 was with the bill’s scope. He promised to refine some of its language to omit legal protests and advocacy from definition as terrorist activities, and said that he would introduce a mandatory review period for the legislation.

He hasn’t taken these steps at the time of writing, and privacy advocates are awaiting the government’s next move. In the interim, Trudeau has been shuffling. One notable political action was his appointment of a new national security advisor, Daniel Jean, in May this year. Jean replaces former Harper government National Security Advisor Richard Fadden, an ex-director of CSIS, who recently retired.

Jean doesn’t come from the spy community, moving up instead from his role as deputy minister of foreign affairs. Before that, he served in Heritage Canada and the Treasury Board. That may point to a more international intelligence focus at the top and a move away from more hardline domestic intelligence policies. It could be taken as an indicator that the Trudeau government intends to calibrate Bill C-51 to bring it more in line with its new focus.

All this will still be guesswork until Trudeau actually takes steps to change the legislation. An attempt at proper oversight may appease privacy advocates a little, but we still don’t know what will happen to the government’s electronic surveillance powers until a minister stands up in parliament with a proposed amendment.

Even when that happens, it’s unlikely to satisfy privacy advocates who have always called for the repeal of C-51, but they’re unlikely to get much more. After all, the Trudeau government never promised to do away with the thing altogether.

Don’t forget, Edward Snowden will be speaking via video link at the SecTor security conference on October 18, so post your questions in the comments section below.

Related Content:

Bruce Cowper is a founding member of the Security Education Conference Toronto (SecTor), the Toronto Area Security Klatch (TASK), the Ottawa Area Security Klatch (OASK) and an active member of numerous organizations across North America. In his day job, Bruce works for ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
AmyRobison
50%
50%
AmyRobison,
User Rank: Apprentice
10/4/2016 | 11:23:13 AM
Question for Snowden
The Secure Exchange of Encrypted Data (SEED) Protocol is a recently patented cybersecurity invention (U.S. Patent Nos. 9,378,380 and 9,390,228) that uses individualized asymmetric encryption in combination with a distributed, interlocking design to secure confidential data that must be shared between organizations. (More info is available online.) The question for Mr. Snowden: Would the SEED Protocol have prevented you from being able to access and leak the NSA documents?
AmyRobison
50%
50%
AmyRobison,
User Rank: Apprentice
10/17/2016 | 10:28:21 AM
Snowden Keynote
Will Snowden's session tomorrow morning be streamed live or released later online?
BruceCowper
50%
50%
BruceCowper,
User Rank: Author
10/17/2016 | 10:50:18 AM
Re: Snowden Keynote
The keynote is currently only being broadcast at the event, both in the keynote hall and expo theatre. You can register for the expo at sector.ca/register.
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2009-20001
PUBLISHED: 2021-03-07
An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and active), allowing an attacker who somehow gained access to a user's cookie to login as them.
CVE-2020-28466
PUBLISHED: 2021-03-07
This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened r...
CVE-2021-27364
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.
CVE-2021-27365
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length...
CVE-2021-27363
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system...