Canada’s spy agency says the lack of a “lawful access” regime that would give it easier access to Canadians’ digital data has frustrated its ability to help foreign intelligence partners combat transnational threats, including those moving into Canada.
In a rare on-the-record briefing, Nicole Giles, deputy director of policy and strategic partnerships at the Canadian Security Intelligence Service, said that, in one instance, the agency was unable to respond to a request from a “like-minded” foreign intelligence partner to identify suspects found to have Canadian phone numbers.
Ms. Giles answered questions from The Globe and Mail on Friday, alongside other senior federal officials, about Bill C-22, Ottawa’s proposed lawful access bill, which would force tech companies and other electronic service providers to make changes to their systems to help police and CSIS with investigations.
They were responding to critics of the bill, who warn it could compromise Canadians’ privacy, weaken encryption and create new targets for hackers.
CSIS and law enforcement have long argued that Canada is lagging behind its Five Eyes intelligence partners in not having such a lawful access regime.
Major Canadian online privacy company plans to leave country if lawful access bill passes
Ms. Giles said that although the intelligence work of CSIS is “highly valued by our partners” they would “very much like us to have similar capabilities to be able to contribute.”
She said there is always “a degree of frustration when there is a gap in our systems that we’re not able to fill when it comes to working as a collective team internationally to combat threats,” which she said now “tend to transcend borders.”
“There’s very few threats that any of us are working on that don’t have any sort of international linkage or implications, so there’s a lot of importance in ensuring that we can hold our weight with partners,” she added.
During one operation, the spy agency received information “from a foreign partner carrying out an investigation outside Canada, where a few of the subjects of investigation are associated with Canadian phone numbers.”
The partner told CSIS that, based on their intelligence, the threat was moving into Canadian territory.
“So we were able to confirm that the phone numbers were obtained through a reseller, but most resellers don’t actually maintain records of their sales,” she said, explaining that core metadata on the targets’ activities was not available.
Even if a federal warrant had been obtained to track a cellphone, without lawful access powers requiring data to be retained, Ms. Giles said, “the electronic service provider does not have the necessary capabilities to track the device.”
Bill C-22, currently being scrutinized by a committee of MPs, could force electronic service providers – such as phone companies, messaging apps and tech companies – to collect metadata about clients and retain it for up to a year.
The metadata would not include e-mails, web-browsing history, social-media activity or text messages, but it could include information about which telephone numbers have been in touch with each other, and data allowing someone’s location to be pinpointed.
RCMP Superintendent Nicolas Gagné, who directs specialized surveillance operations and technologies, said such metadata could be useful to track and identify people, including at the scenes of shootings. But currently there is no obligation for that data to be retained, and it could have been erased by the time the RCMP get a warrant to see it.
“What we’ve seen previously is that there are shots fired at home, shots fired at a business, shots fired at a car, in the middle of the night. So we have a lot of trouble trying to establish who might be responsible if we don’t have any witnesses,” he told The Globe at the briefing.
Such metadata, which could be from phones, “can be used to identify individuals who may have been on the scene or at least individuals who were in proximity at the time.”
He said the lawful access powers could also help Mounties track where a person who sent an extortion demand is actually based.
Richard Bilodeau, a senior official in the Public Safety Department’s cybersecurity branch, said the lawful access powers could aid investigations into “bad actors” who “might have used alternative ways of communicating.” But he said CSIS and police services would still need warrants to obtain information from electronic service providers
Tech companies and cybersecurity experts have expressed serious concerns about requiring electronic service providers, potentially including providers of encrypted messaging apps, to retain metadata for up to a year.
They warn that caches of such data could become an attractive target for hackers, including those working for foreign adversaries. They also want the bill to be amended to explicitly protect end-to-end encryption, which is used by many companies, including secure messaging services. Non-profit messaging app Signal has warned it would pull its services out of Canada if the bill passes in its current form.
The bill already exempts providers from being forced by the government to make changes that would introduce what it calls a “systemic vulnerability” into their systems. But C-22’s critics say the bill’s definition of what counts as such a vulnerability is too vague while encryption remains undefined in the legislation.
Mr. Bilodeau said Public Safety Minister Gary Anandasangaree is aware of misgivings about the bill as drafted and is open to amendments. Discussions with those who have concerns about the bill have been held, he said.
“Without going too far, I would say that all of those stakeholder conversations are informing the next steps,” he told The Globe at the briefing. “There is definitely a willingness, not just on end-to-end-encryption, but on the entire legislation, as being open to amendments and making things clearer.”
Shannon Hiegel, director-general of national security policy at Public Safety Canada, said: “The minister’s open for new ideas.”
Tamir Israel, director of the privacy, surveillance and technology program at the Canadian Civil Liberties Association, warned, in a separate interview, that the bill is loosely worded, and, without changes, could enable secret surveillance of individual Canadians using their electronic devices.
But Mr. Bilodeau said the bill as worded “doesn’t allow for mass surveillance or tracking in real time.”
“The legislation does not allow for any direct access for law enforcement and CSIS to access the information in electronic service providers’ possession. There is no ability for one of those agencies to just go in and take what they need,” he added.
Leah West, a Carleton University professor specializing in national security law, cyber operations and counterterrorism who has advised the federal government and spy agencies, suggested to the Commons public safety committee earlier this month that Bill C-22 be amended to make it explicit that police services and CSIS cannot directly collect or intercept personal or private information from service providers’ systems.