Canada’s security and intelligence organizations face “significant challenges” detecting and responding to security threats because of legislative gaps and outdated resources limiting when and how they can access private messages, one of the country’s intelligence watchdogs warns.A recently tabled report from the National Security and Intelligence Committee of Parliamentarians (NSICOP) examined the fiercely contested issue of lawful access — court-approved interception of electronic communications. While noting legitimate privacy concerns, the report found organizations like the Canadian Security Intelligence Service (CSIS) and RCMP are hindered because they do not have the tools, policies and authorities in place to legally access communications during investigations.”The committee is concerned by the lawful access challenges described by the security and intelligence community and by the long-standing inability of successive governments to address them,” the report said.”They state that encryption and the increasing volume, variety and velocity of digitally generated data make it difficult and sometimes impossible to gather the information needed to carry out effective investigations.”The committee warned that if left unaddressed, “these challenges will undermine Canada’s national security in the long term” and could “impede Canada’s continued ability to benefit from Five Eyes efforts … if it cannot meaningfully contribute to this partnership.”The report comes as the House of Commons debates a government bill that would give sweeping new powers to law enforcement, including lawful access.Right to privacy vs. public safetyA classified version of the report was submitted to the prime minister on March 4 and a redacted public version was tabled in the House of Commons last week.It dives into one of the most controversial issues in national security: balancing the individual right to privacy while safeguarding public safety.CSIS told the committee the lack of intercept capability legislation ‘is the single greatest differentiator with our [Five Eyes] partners who all have more success than we do.’ (Sean Kilpatrick/The Canadian Press)Security organizations’ access to personal information, like private messages, is “one of the most intrusive powers of the state” that Canadians expect is used only when “prescribed by law, [serves] a legitimate purpose and be necessary and proportionate,” the report said.It said Canadians also expect them to have “the tools, policies and lawful authorities” for such access. “Canadians would be surprised to learn how difficult it actually is for security and intelligence agencies to do so,” it said. The committee found that unlike a number Canada’s allies, this country does not have legislation to compel service providers to develop, deploy or maintain systems to quickly provide that information if CSIS and the RCMP come knocking with a judicial authorization.NSICOP said that gap is creating risks including delays, legal ambiguity, financial inefficiencies and “has caused confusion and frustration for all parties.”CSIS told the committee the lack of intercept capability legislation “is the single greatest differentiator with our [Five Eyes] partners who all have more success than we do.”Access to U.S. data creating delays Another issue the report touched on was accessing information stored outside of Canada. Privacy advocates told committee members that troves of potentially revealing personal data collected by the private sector are an untapped opportunity for security and intelligence agencies.CSIS countered that it is sometimes unable to access that information because those companies are primarily located outside of Canada.WATCH | Strong Borders Act raises privacy concerns: Strong Borders Act raises concern about police access to personal dataCivil liberties groups are concerned that the federal government’s proposed Bill C-2, the Strong Borders Act, will give law enforcement agencies sweeping new powers, like making it easier for police to search your internet activity and data without your knowledge or a warrant.Many of the world’s largest tech firms are U.S.-based. As the report states, under the U.S. Stored Communications Act, it is illegal for American companies to disclose the content of communications to foreign authorities unless an order is served on them through the American court system.The RCMP can request that data through a mutual legal assistance treaty. If the Mounties need information from Facebook or Apple, it sends a request to Canada’s Department of Justice, which sends it to the U.S. Department of Justice. If it’s accepted, an assistant U.S. attorney makes an application before a U.S. judge to obtain a warrant. The FBI may execute the warrant after it is issued by the U.S. judge.Once the company hands over the information to the FBI, it trickles back to the RCMP via the two justice departments. According to the RCMP, the process can take three to six months and that delay can impact investigations.NSICOP noted that even if the legal process is successful, the data may have been deleted before the warrant arrives.Getting around encryption The report looked at ways CSIS and the RCMP are getting around “going dark” — when targets use encrypted communications and the dark web to mask their activities.The RCMP uses an “on-device investigative tool” (ODIT), software that is installed on a targeted smartphone or computer that allows the Mounties to directly access information before it is encrypted, or after it has been decrypted.It is described by the RCMP as “one of the most complex and expensive technical collection programs we maintain.”‘According to a successful case study cited in the report, in 2018 the U.S. Federal Bureau of Investigation (FBI) alerted the RCMP about a Canadian who was reportedly building a bomb and planning an attack at a New Year celebration. The RCMP deployed an ODIT, which turned up messages and schematics for a pressure-cooker bomb.The Canadian was ultimately charged and pleaded guilty to four terrorism offences. The committee members said they are concerned “with how much of this successful mitigation presently relies upon the ingenuity of CSIS and the RCMP rather than the right configuration of tools, lawful authorities and resources.”ODITs require several authorizations, including a wiretap to intercept private communications, as well as a general warrant and a transmission data recorder warrant, the report said. The technique also relies on successfully exploiting vulnerabilities — not always a guarantee.”The committee learned that these tools are expensive and often unreliable, as targets have become increasingly cybersecurity savvy and as companies work to identify and address the vulnerabilities in operating systems and encryption platforms,” said the report. Privacy advocates warned the committee any steps giving police and intelligence agencies the power to circumvent encrypted communications or data would “fundamentally weaken cybersecurity overall, erode public trust and threaten fundamental democratic values.”WATCH | The infiltration of a major encrypted network: Cracked: Crimes Behind EncryptionVancouver’s Sky ECC promised confidentiality to customers with its encrypted cellphones, which were a hit with criminals but also the target of an international police sting. The investigation that brought thousands of criminals, and Sky, down.CSIS and the RCMP do not systematically track how often they encounter technological challenges like encryption in their national security investigations, an “important omission” according to the report, since they “advise the government and attempt to convince Canadians … that new legislation and resources are required.”The report said the agencies “are only able to offer anecdotes and not concrete figures.”Still, NSICOP members believe there are “significant challenges” in CSIS and the RCMP’s ability to access relevant and timely digital evidence and intelligence.”These challenges are not new. Successive governments have been aware of them for some time,” the report concluded.”It is time for the government to act and provide the security and intelligence community with the tools, policies and lawful authorities they require … which is responsive to and protective of their privacy.”The report makes seven recommendations, including that the government develop and implement a comprehensive strategy to address Canada’s lawful access challenges and prioritize the signing and implementation of the Canada-U.S. Data Access Agreement, which the report says would “remove long-standing jurisdictional barriers” erected by U.S. law.It also called on the the government to publicly clarify its position on exceptional access to communication protected by encryption. In a statement, CSIS says it agrees with the majority of NSICOP’s recommendations.The RCMP deferred to the Public Safety Department, which said it saw CSIS’s response and has nothing more to add. Controversial border bill includes lawful access provisionsThe Liberals’ Bill C-2, which includes lawful access amendments, is expected to get a rough ride in Parliament this fall.It would compel service providers to hand over basic information to police and CSIS without judicial sign-off. It would also create a new order compelling the production of more detailed subscriber information with judicial authorization during a criminal investigation.The bill has received a wave of backlash from civil liberties groups, academics and some opposition MPs who argue it creates new surveillance powers infringing on personal privacy and the Charter of Rights and Freedoms. NSICOP is made up of MPs and senators who go through a high-level clearance in order to view and hear top-secret information.Since the lawful access report was written, the committee lost its NDP voice as the party no longer has recognized status in the House.
CSIS, RCMP face ‘significant challenges’ obtaining private data: Intelligence watchdog
