CSIS says new warrantless powers need more 'precision,' 'surprised' by border bill pushback

OTTAWA — Canada’s spy agency says it never intended for new warrantless information powers proposed in the Liberals’ spring national security bill to target medical providers and believes part of the legislation needs additional “precision”.

During a background briefing, two senior Canadian Security Intelligence Service (CSIS) officials argued that changes to the agency’s powers contained in the Liberals’ Strong Borders Act (C-2) are “reasonable and modest” and noted they’ve been surprised at some of the pushback.

National Post requested the briefing to better understand the intelligence agency’s challenges to lawfully access communications and the ongoing debate on C-2. The officials were granted anonymity because CSIS does not disclose the identity of most of its employees.

Bill C-2 — the first bill tabled by Prime Minister Mark Carney’s government — is a contentious piece of legislation in part because it proposes new unwarranted powers for the RCMP and CSIS to compel any service provider to fork over limited subscriber information.

If C-2 passes intact, law enforcement would be able to compel any service provider — be they doctors, lawyers, therapists, clinics or banks, etc. — to say if they’ve served an individual, during what period and in which province or municipality.

The intention is to inform law enforcement if it’s worth going through the more complex process of obtaining a warrant for a production order from that service provider. It also aims to help authorities circumscribe dates and locations when seeking a warrant targeting a specific individual suspected of posing a threat to national security, the CSIS officials said.

Much of that information is already forked over voluntarily by service providers when asked, much like when police enter a shop to ask a shopkeeper if they’ve served an individual before, the officials said. The law would make it obligatory to cooperate.

During the briefing, the officials candidly admitted that CSIS never intended for the new warrantless powers to target medical professionals or lawyers (whose work with clients is protected by solicitor-client privilege).

The officials agreed there are “reasonable” concerns about which service providers should be included and that the section “needs some additional precision”, signalling the agency is not opposed to medical professionals and lawyers being excluded.

Two weeks ago, Public Safety Minister Gary Anandasangaree admitted that the Liberals’ first attempt to improve warrantless search powers was imperfect and said he was open to amendments to C-2.

C-2 also proposes a new law, the Supporting Authorized Access to Information Act (SAAIA), that compels organizations that use any form of electronic services geared towards people in Canada or that operate in the country to implement tools to ensure data can be extracted and provided to authorities with a proper warrant.

The ability to obtain Canadians’ information and intercept communications, known as “lawful access,” is one of the most intrusive powers afforded to police and intelligence agencies. But NSICOP said its also necessary for law enforcement to be able to protect national security in the digital age.

The fact that C-2 proposes a new lawful access regime for electronic communications is “really, really positive development for us,” said one CSIS official.

In a comprehensive review of lawful access in Canada , the National Security and Intelligence Committee of Parliamentarians (NSICOP) called on the government to modernize outdated lawful access laws.

The review noted that Canada is the only member of the Five Eyes intelligence sharing alliance (with the U.S., U.K., Australia and New Zealand) that doesn’t have a lawful access regime for the digital era.

“The Committee thinks Canadians would be surprised to learn how difficult it actually is for security and intelligence agencies” to “conduct lawful access techniques”, NSICOP wrote.

On Friday, the senior CSIS officials shed further light on some of the challenges the lack of lawful access framework has had on their work.

They noted that because there is no standard among communications companies (such as telcos) about what type of data they must retain and for how long, CSIS will sometimes go through the complex process of obtaining a judicial warrant to intercept communications… only to discover the company doesn’t have what they’re looking for.

Because of their private data management policies, “some communications service providers have literally nothing we want. We can go through all the hoops (to obtain a judicial warrant) and they have nothing,” they explained.

Some companies retain information for five days, while others retain it for five years, they added.

The new bill would compel impacted providers to maintain certain data for a specified amount of time and in a way that can be extracted for law enforcement with a warrant.

The CSIS officials also said that the absence of predictability in what information electronic service providers maintain has become a major irritant for international partners such as members of the Five Eyes.

They also pushed back on some privacy advocates’ claim that SAAIA created a “back door” for law enforcement to access some of Canadians’ most sensitive information.

“Our view is that this is the best and most modest version” of a lawful access update, they added, saying that they learned lessons from both the mistakes of a failed lawful access reform by the Conservatives in 2013 and debates over the U.K.’s 2016 Investigatory Powers Act.

Some of commentary on the new lawful access regime appears driven by a “haunting” of past government proposals that went much further, the CSIS official added.

“There is no back door, and if a vulnerability is identified (in a provider’s systems), we can’t ask them to maintain it,” one senior official said. “We’re not going to ask for decryption keys” to help unlock encrypted communications either, said the other.

But much of the detail of the proposed SAAIA will be determined via regulation, leaving much uncertainty that concerns civil rights and privacy advocates.

Critics also argue that forcing all electronic service providers to create “technical capabilities” for authorities to access their data with a warrant creates new cybersecurity risks.

“These types of technical surveillance capability systems, and the vulnerabilities they create, are regularly, successfully and secretly targeted and compromised by foreign spy agencies and criminals alike,” wrote a coalition of civil liberty groups opposed to C-2 .

Despite major hiccups with C-2 that pushed the government to split the bill in two and table a new bill (C-12) two weeks ago without the contentious law enforcement changes, both Anandasangaree and Prime Minister Mark Carney said they are committed to a new lawful access regime .

Last month, intelligence watchdog NSICOP concluded as much.

“It is time for the government to act and provide the security and intelligence community with the tools, policies, and lawful authorities they require to do the work asked of them in the manner expected by Canadians which is responsive to and protective of their privacy,” the committee wrote.

National Post

cnardi@postmedia.com

• Liberals' first border bill 'imperfectly' tried to give law enforcement more warrantless power: minister
• Carney defends $700K salaries for CEOs of new federal agencies

Our website is the place for the latest breaking news, exclusive scoops, longreads and provocative commentary. Please bookmark nationalpost.com and sign up for our politics newsletter, First Reading, here.