Canada's Security Agencies Face Challenges Accessing Private Data: Intelligence Watchdog Report
Canadian security and intelligence organizations are facing "significant challenges" in detecting and responding to security threats, according to a recent report from the National Security and Intelligence Committee of Parliamentarians (NSICOP). These challenges stem from legislative gaps and outdated resources that limit their ability to legally access private messages.
Legislative Gaps and Outdated Resources Hinder Investigations
The NSICOP report examined the contentious issue of lawful access – court-approved interception of electronic communications. The report highlights that while privacy concerns are valid, organizations like the Canadian Security Intelligence Service (CSIS) and the RCMP are being hindered. They lack the necessary tools, policies, and legal authority to access communications effectively during investigations.
The committee expressed concern over the long-standing inability of successive governments to address these lawful access challenges. Encryption, the increasing volume, variety, and velocity of digitally generated data make it "difficult and sometimes impossible" to gather needed information. Leaving these challenges unaddressed would undermine Canada's national security in the long term. It could also impede Canada's ability to contribute effectively to the Five Eyes intelligence alliance.
Balancing Privacy and Public Safety
The report delves into the delicate balance between individual privacy rights and public safety. Access to personal information by security organizations is considered one of the "most intrusive powers of the state". Canadians expect such access to be legally prescribed, serve a legitimate purpose, and be necessary and proportionate. However, the report suggests Canadians would be surprised at the difficulty agencies face in obtaining lawful access to information.
Unlike some of Canada's allies, there is no legislation compelling service providers to develop or maintain systems for quickly providing information when CSIS and the RCMP present a judicial authorization. This gap creates delays, legal ambiguity, financial inefficiencies, and frustration for all parties. CSIS stated that the lack of intercept capability legislation "is the single greatest differentiator" compared to its Five Eyes partners.
Accessing Data Stored Outside Canada
The report also addresses challenges in accessing information stored outside of Canada. While privacy advocates suggested tapping into the vast troves of personal data collected by the private sector, CSIS countered that accessing this data is difficult because many large tech firms are U.S.-based.
Under the U.S. Stored Communications Act, American companies can't disclose communication content to foreign authorities without a U.S. court order. The RCMP must request data through a mutual legal assistance treaty, routing requests to the U.S. Department of Justice. The process can take three to six months, potentially impacting investigations due to delays and possible data deletion.
Circumventing Encryption: The Use of ODITs
The report also examined methods used by CSIS and the RCMP to bypass encryption, also known as "going dark." One method is the use of an "on-device investigative tool" (ODIT), software installed on targeted devices. This allows direct access to information before or after encryption. The RCMP considers it one of their "most complex and expensive technical collection programs". In one case, an ODIT helped uncover a plot to build a pressure-cooker bomb.
However, the committee expressed concern over reliance on the "ingenuity" of CSIS and the RCMP, rather than a robust configuration of tools, legal authorities, and resources. ODITs are expensive and often unreliable, as targets become more cybersecurity-savvy. Privacy advocates warn that circumventing encryption weakens cybersecurity, erodes public trust, and threatens democratic values. The report highlights that agencies lack systematic tracking of encryption challenges, relying on "anecdotes" to justify new legislation and resources.
Recommendations and the Path Forward
NSICOP concludes that significant challenges remain in accessing timely digital evidence. They urged the government to provide the security and intelligence community with the necessary tools, policies, and lawful authorities, while also protecting privacy. The report offers seven recommendations, including a comprehensive strategy to address lawful access challenges. It also includes prioritizing the Canada-U.S. Data Access Agreement.
The report also called on the government to publicly clarify its position on exceptional access to communication protected by encryption. CSIS has expressed agreement with most recommendations. The Liberals' Bill C-2, which includes lawful access amendments, faces opposition due to concerns over infringing personal privacy. Since the report was written, NSICOP lost its NDP voice as the party no longer has recognized status in the House.
