Bill C-59, is being scrutinized by a House of Commons committee in Ottawa.
The bill grants what some critics are calling “extraordinarily permissive” new powers to Canada’s Communications Security Establishment (CSE).
If Bill C-59 were to pass , it would make it a lot easier for CSE to launch a cyber attack abroad, engaging in covert operations that could even include sabotaging a foreign electrical grid.
But that may not cause Canadians to have any sleepless nights, unless it has to do with their personal information. Turns out it is being scooped up by the agency, despite rules designed to prevent it.
If passed, Bill C-59 would immediately expand the CSE’s mandate beyond just information gathering.
CSE employees could conduct “defensive cyber operations” and “active cyber operations.”
The “defensive” actions, under the law, would need to somehow protect the government’s online information and cyber-infrastructure, as well as other online information and infrastructure “of importance to the Government.”
The active cyber operations, meanwhile, could be carried out to “degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group as they relate to international affairs, defence or security.”
Short of bodily harm, murder or the perversion of the course of “democracy” or “justice”, the CSE would also be allowed to do “anything that is reasonably necessary to maintain the covert nature of the activity” when it comes to its defensive or offensive moves.
Bill C-59 will also establish new or expanded oversight mechanisms for these increased powers.
Before engaging in any of the hacking or other actions described above, the CSE would need to get the green light from the federal defence minister and, in the case of actively launching cyber attacks on foreign soil, from the minister of foreign affairs.
The spy agency will also be required to report the outcomes of all these activities to those ministers.
The CSE would, in addition, be subject to more general oversight by two arm’s-length bodies:
An Intelligence Commissioner responsible for keeping an eye on multiple security agencies
A National Security and Intelligence Review Agency
Facial imagery, posts, photographs, videos, relationships and location data shared via social media could certainly qualify. So might personal data made public by hackers.
These days citizens in virtually every country are worried about their privacy being compromised by non-state hackers, marketers and other unscrupulous elements out to separate them from their money. Given all the risks out there from non-state actors, some might simply shrug and say to themselves, ‘the devil you know is better than the devil you don’t know.’