I’m a Postdoctoral Fellow and Managing Director of the Telecom Transparency Project at the Citizen Lab in the Munk School of Global Affairs at the University of Toronto. I'm also a Principal at Block G Privacy and Security Consulting. My research interests focus on how privacy (particularly informational privacy, expressive privacy and accessibility privacy) is affected by digitally mediated surveillance and the normative implications that such surveillance has in (and on) contemporary Western political systems. I’m currently attending to a particular set of technologies that facilitate digitally mediated surveillance, including Deep Packet Inspection (DPI), behavioral advertising, and mobile device security. I try to think through how these technologies influence citizens in their decisions to openly express themselves or to engage in self-censoring behavior on a regular basis.
NSIRA is responsible for conducting national security reviews of Canadian federal agencies, inclusive of “the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSE), as well as the national security and intelligence activities of all other federal departments and agencies.” The expanded list of departments and agencies includes the Royal Canadian Mounted Police (RCMP), the Canada Border Services Agency (CBSA), the Department of National Defence (DND), Global Affairs Canada (GAC), and the Department of Justice (DoJ). As a result of their expansive mandate, the Agency has access to broad swathes of information about the activities which are undertaken by Canada’s national security and intelligence community.
Despite the potential significance of this breach, little has been publicly written about the possible implications of the unauthorized access. This post acts as an early round of analysis of the potential significance of the access by, first, outlining the kinds of information which may have been accessed by the unauthorized party and, then, raising a series of questions that remain unanswered in NSIRA’s statement. The answers to these questions may dictate the actual seriousness and severity of the cyber-incident.
What is Protected Information?
NSIRA’s unclassified information includes Protected information. Information is classified as Protected when, if compromised, it “could reasonably be expected to cause injury to a non-national interest—that is, an individual interest such as a person or an organization.” There are three classes of protected information that are applied based on the sensitivity of the information. Protected A could, if compromised, “cause injury to an individual, organization or government,” whereas compromising Protect B information could “cause serious injury.” Compromising Protected C information could “cause extremely grave injury”. Protected C information is safeguarded in the same manner as Confidential or Secret material which, respectively, could cause injury or could cause serious injury to “the national interest, defence and maintenance of the social, political, and economic wellbeing of Canada” in the case of either being compromised.
Intrusion into protected networks brings with it potentially significant concerns based on the information which may be obtained. Per Veterans Affairs, employee information associated with Protected A information could include ‘tombstone’ information such as name, home address, telephone numbers or date of birth, personal record identifiers, language test results, or views which if made public would cause embarrassment to the individual or organization. Protected B could include medical records (e.g., physical, psychiatric, or psychological descriptions), performance reviews, tax returns, an individual’s financial information, character assessments, or other files or information that are composed of a significant amount of personal information.
More broadly, Protected A information can include third-party business information that has been provided in confidence, contracts, or tenders. Protected B information in excess of staff information might include that which, if disclosed, could cause a loss of competitive advantage to a Canadian company or could impede the development of government policies such as by revealing Treasury Board submissions.
In short, information classified as Protected could be manipulated for a number of ends depending on the specifics of what information is in a computer network. Theoretically, and assuming that an expansive amount of protected information were present, the information might be used by third-parties to attempt to recruit or target government staff or could give insights into activities that NSIRA was interested in reviewing, or is actively reviewing. Further, were NSIRA either reviewing non-classified government policies or preparing such policies for the Treasury Board, the revelation of such information might advantage unauthorized parties by enabling them to predict or respond to those policies in advance of their being put in place.
Canadian students of national security have historically suffered in ways that their British and American colleagues have not. Whereas our Anglo-cousins enjoy a robust literature that, amongst other things, maps out what parts of their governments are involved in what elements of national security, Canadians have not had similar comprehensive maps. The result has been that scholars have been left to depend on personal connections, engagements with government insiders, leaked and redacted government documents, and a raft of supposition and logical inferences. Top Secret Canada: Understanding the Canadian Intelligence and National Security Community aspires to correct some of this asymmetry and is largely successful.
The book is divided into chapters about central agencies, core collection and advisory agencies, operations and enforcement and community engagement agencies, government departments with national security functions, and the evolving national security review landscape. Chapters generally adhere to a structure that describes an agency’s mandate, inter-agency cooperation, the resources possessed and needed by the organization, the challenges facing the agency, and its controversies. This framing gives both the book, and most chapters, a sense of continuity throughout.
The editors of the volume were successful in getting current, as well as former, government bureaucrats and policymakers, as well as academics, to contribute chapters. Part One, which discusses the central agencies, were amongst the most revealing. Fyffe’s discussion of the evolution of the National Security Intelligence Advisor’s role and the roles of the various intelligence secretariats, combined with Lilly’s explanation of the fast-paced and issue-driven focus of political staffers in the Prime Minister’s Office, pulls back the curtain of how Canada’s central agencies intersect with national security and intelligence issues. As useful as these chapters are, they also lay bare the difficulty in structuring the book: whereas Fyffe’s chapter faithfully outlines the Privy Council Office per the structure outlined in the volume’s introduction, Lilly’s adopts a structure that, significantly, outlines what government bureaucrats must do to be more effective in engaging with political staff as well as how political staffers’ skills and knowledge could be used by intelligence and security agencies. This bifurcation in the authors’ respective intents creates a tension in answering ‘who is this book for?’, which carries on in some subsequent chapters. Nonetheless, I found these chapters perhaps the most insightful for the national security-related challenges faced by those closest to the Prime Minister.
Canadian parliamentarians in the era of the pandemic have adopted distanced methods of conducting their business. This has seen many Members of Parliament (MPs) use video conferencing platforms so that they can broadcast from their kitchens, living rooms, home offices, and bedrooms. On April 14, 2021 there was an unfortunate situation where a conventionally attractive male MP inadvertently had his conferencing camera on while changing his clothing. Another MP or parliamentary staff member captured an image of his state of undress and subsequently shared it with media organizations.
This situation raises a question of law and, separately and more broadly, provides an opportunity to highlight the pervasive problems facing Canadian society in terms of addressing sexual violence, the non-consensual sharing of their intimate images (meant in a non-legal sense), and intimate partner abuse.
Facts at Hand
Due to how the parliamentary video system is configured, the only people who could have witnessed this incident were either other MPs or parliamentary staff members on the video conference. This meant that while the meeting was open to the public the actual video stream capturing the MP’s state of undress was (at the time) only visible to a relatively small group of people. At least one member of that small group took a photo of the MP and subsequently shared it. The image has, subsequently, been shared by the press and by individuals on social media, though admittedly with some censorship applied to the image. Unsurprisingly, this led to a number of jokes about the MP, their state of undress, the MP being too transparent, and more.
Unlike many others, I did not find the non-consensual sharing of the image to be particularly funny. Instead, I quickly and publicly raised the question of whether either the MP or staff member who shared the image, or an offending MP’s party, would be willing to come before the Canadian public and explain why their actions did not contravene Section 162.1 of the Criminal Code of Canada. This part of the Criminal Code makes it a criminal offence for someone to publish an intimate image without consent. I also firmly stated that I was disgusted by the image having been shared and that I thought whomever shared it should be disciplined.
The first question is: did an MP or staffer potentially violate 162.1 in sharing the image, setting aside potential parliamentary privileges that may shield parliamentarians from investigation or charges?
Intimate Images and the Criminal Code of Canada
To potentially be guilty of violating the Criminal Code in sharing this image, the MP’s or parliamentary staffer’s actions must satisfy a set of criteria.
Whomever shared the image certainly knowingly published, distributed, transmitted, or made available “an intimate image of a person knowing that the person depicted in the image did not give their consent to that conduct” (162.2(1)). If the rest of section 162.1 of the Criminal Code is satisfied then that individual is guilty of an offence, which is “liable to imprisonment for a term of not more than five years” (162.1(1)(a)).
Moving on, per the Code, an intimate image “means a visual recording of a person made by any means including a photographic, film or video recording” (162.1(2)) where the following conditions are met:
(a) in which the person is nude, is exposing his or her genital organs or anal region or her breasts or is engaged in explicit sexual activity;
(b) in respect of which, at the time of the recording, there were circumstances that gave rise to a reasonable expectation of privacy; and
(c) in respect of which the person depicted retains a reasonable expectation of privacy at the time the offence is committed.
The MP was certainly nude, satisfying 162.1(2)(a). They were in their own home, which would normally move towards satisfying 162.1(2)(b) but, in this case, the MP was also (unintentionally) broadcasting their image. So, in a sense this may suggest that the MP lacks a reasonable expectation of privacy. However, there are extenuating facts. Members of Parliament are not permitted to take images of screens and, as such, there may be some kind of a reasonable expectation of privacy insofar as MPs can expect that their image will not be captured or shared based on what is broadcast to other MPs but not the public. Attenuating this potential reasonable expectation of privacy is that the MP who’s image was captured was exclusively visible to other MPs and parliamentary staff members, further indicating that this was potentially a kind of a semi-public situation. Canadian courts have tended to take a sympathetic view of what constitutes a reasonable expectation of privacy, though whether they would recognize this situation as meeting the standard would need more substantial assessment than I will provide here.
However, for the sake of the analysis, let’s imagine that 162.1(2) is satisfied. Does the party who shared the image have a defense if that’s the case? I doubt it.
The Criminal Code states at 162.1(3) that “[n]o person shall be convicted of an offence under this section if the conduct that forms the subject-matter of the charge serves the public good and does not extend beyond what serves the public good.” I cannot imagine a situation where capturing and sharing the image serves the public good. In clarifying 162.1(3), section 162.1(4) lays out that:
(a) it is a question of law whether the conduct serves the public good and whether there is evidence that the conduct alleged goes beyond what serves the public good, but it is a question of fact whether the conduct does or does not extend beyond what serves the public good; and
(b) the motives of an accused are irrelevant.
I would suspect that if a court was convinced that the elements of 162.1(2) were satisfied then 162.1(4) would not save the offending MP’s or staffer’s behaviour.
Broader Non-Criminal Code Analysis
Even if the person who initially shared the image did not violate the Criminal Code either because of the arcane nature of parliamentary rules, because the image doesn’t meet the definition of 162.1(2), or simply because no criminal charge is brought against them, the act of sharing this image has real-world implications. In essence, while there is an understandable attraction to asking whether someone violated the law we need to broaden our mode of analysis to appreciate the harms of sharing these kinds of images.
First, it’s useful to remind ourselves that the man who’s image was captured and shared almost immediately apologized for his lack of decorum. As someone who inadvertently engaged in a behaviour that (clearly) ran counter to professional standards he owned up to the mistake and committed to being more studiously careful in the future.
Second, the man is conventionally attractive and because of this status he, as a man, is generally expected by members of society to roll with the comments: it’s embarrassing but there is an expectation that this is ‘funny’. However, imagine that it had been a woman, or someone who is transgender, or someone undergoing a gender transition who’s image had been captured. Were this the case I am certain that, first, there would be much crueler commentary (revealing structural sexism) and, second, that people would broadly leap up and (rightly) insist that the commentary was wrong and inappropriate. Simply because it was a man who was captured on camera does not make it ‘funny’; the very perception that this incident should be treated as funny reifies some of the challenges facing men who are victims or survivors of sexual harassment, assault, and intimate partner violence.
When members of society make fun of men who have been the subject of sexual violence, the non-consensual sharing of their intimate images (meant in a non-legal sense), and intimate partner abuse then men more broadly learn that they shouldn’t come forward to report or discuss these kinds of harms on the basis that they aren’t ‘harmed’ in the eyes of society. While less discussed, men are indeed victims and survivors of assault, abuse, sexual blackmail, and harassment. As a society we need to get a lot better at appreciating these forms of violence towards men and in creating a culture where they can come forward without an expectation of them being ‘weak’ or ‘not getting the joke’. I say this while recognizing that, proportionally, women, and members of the lesbian, gay, bisexual, transgender, queer or questioning, and two-spirit (LBGTQ2+) communities suffer from these harms more regularly and disproportionately than straight men. Nonetheless, if we are to develop societies that are more inclusive, that encourage men to develop emotional intelligence and sensitivity, and that broadly combat sexism and the pervasive and pernicious ills of sexual violence then it’s important that we take harms towards men as seriously as we do for other members of society who also suffer from sexual violence, non-consensual sharing of intimate images, and intimate partner abuse..
So, was a crime committed? That’s a good question, and I’ll ultimately leave it to lawyers to argue about the nuances of how Canadian case law and the depths of our privacy law intersects with Section 162.1 of the Criminal Code. But while the law is an important point of discussion, the discussion cannot stop and end at the law’s edge. More significantly, the idea that someone thought it was appropriate (and, likely, just funny) to share the image of an unclothed male member of parliament underscores the amount of work that Canadian society–inclusive of Canadian elites–has ahead of it in the ongoing efforts to address sexual violence, non-consensual sharing of intimate images, and intimate partner violence.
I suspect that the MP or parliamentary staffer who shared the image did so without a deep sense of malice in their heart. I half suspect it was a near-thoughtless action. But the very fact that they thought it was appropriate or funny to share this image reveals how sexual harassment and violence structurally pervades Canadian society. Such activities are often legitimized by way of humour and, in doing so, showcase the depths at which these behaviours are normalized. In short, the very sharing of the image serves to remind us of the circumstances of structural sexual violence that we operate in, each and every day.
How can things ‘move forward’? On the one hand, I hope that the offending MP or staffer comes forward. I would rush to state that I don’t think that this means that the Criminal Code should necessarily be thrown at them! Instead, I think that it’s important for the person to make themselves publicly accountable for censure and take responsibly for their action, as the male MP did for his inappropriate state of dress. I don’t believe that every, or even most, social ills are best solved by turning to the law.
But more substantively, I think that the best thing that can come from this situation is to hopefully provoke introspection about the biases that we all carry with us concerning sexual violence. Why did we, or our friends or family or colleagues, think that this incident was funny? What does our sense of this being funny reveal about the structural conditions of sexual violence that we operate within? What can we learn from our reactions, and how might we have behaved if we’d applied a bit more introspection? How can we have conversations with other people about sexual violence to better appreciate and understand how pervasive it is in our society, and what roles can and should we assume to combat these kinds of ills?
To be clear, I think that it is the work of each individual to think through these issues either on their own or in conversation with others who express an interest in the conversation. I don’t think that it’s the role of those who have been affected by sexual violence, the non-consensual sharing of their intimate images, and intimate partner abuse to do the labour to educate the rest of the population; they’re obviously free to do so, but cannot and should not be expected to do so.
I truly believe that, on the whole, Canadians really do want to have an inclusive and equitable society. To get closer to this ideal we all have to play a role in opposing, and working to overcome, historical structural and social harms. In part, this means reflecting more seriously on structural sexual harms, inclusive of those directed towards men, and the norms surrounding and often justifying or setting aside these harms. Hopefully this unfortunate parliamentary incident fosters at least some of those conversations and reflections so that something positive can come out of this affair.
Last week I appeared before the Special Committee on Canada-Chinese Relations to testify about the security challenges posed by Chinese infrastructure vendors and communications intermediaries. . I provided oral comments to the committee which were, substantially, a truncated version of the brief I submitted. If so interested, my oral comments are available to download, and what follows in this post is the actual brief which was submitted.
I am a senior research associate at the Citizen Lab, Munk School of Global Affairs & Public Policy at the University of Toronto. My research explores the intersection of law, policy, and technology, and focuses on issues of national security, data security, and data privacy. I submit these comments in a professional capacity representing my views and those of the Citizen Lab.
Successive international efforts to globalize trade and supply chains have led to many products being designed, developed, manufactured, or shipped through China. This has, in part, meant that Chinese companies are regularly involved in the creation and distribution of products that are used in the daily lives of billions of people around the world, including products that are integrated into Canadians’ personal lives and the critical infrastructures on which they depend. The Chinese government’s increasing assertiveness on the international stage and its belligerent behaviours, in tandem with opaque national security laws, have led to questioning in many Western countries of the extent to which products which come from China can be trusted. In particular, two questions are regularly raised: might supply chains be used as diplomatic or trade leverage or, alternately, will products produced in, transited through, or operated from China be used to facilitate government intelligence, attack, or influence operations?
For decades there have been constant concerns about managing technology products’ supply chains. In recent years, they have focused on telecommunications equipment, such as that produced by ZTE and Huawei, as well as the ways that social media platforms such as WeChat or TikTok could be surreptitiously used to advance the Chinese government’s interests. As a result of these concerns some of Canada’s allies have formally or informally blocked Chinese telecommunications vendors’ equipment from critical infrastructure. In the United States, military personnel are restricted in which mobile devices they can buy on base and they are advised to not use applications like TikTok, and the Trump administration aggressively sought to modify the terms under which Chinese social media platforms were available in the United States marketplace.
Legislators and some security professionals have worried that ZTE or Huawei products might be deliberately modified to facilitate Chinese intelligence or attack operations, or be drawn into bilateral negotiations or conflicts that could arise with the Chinese government. Further, social media platforms might be used to facilitate surveillance of international users of the applications, or the platforms’ algorithms could be configured to censor content or to conduct imperceptible influence operations.
Just as there are generalized concerns about supply chains there are also profound worries about the state of computer (in)security. Serious computer vulnerabilities are exposed and exploited on a daily basis. State operators take advantage of vulnerabilities in hardware and software alike to facilitate computer network discovery, exploitation, and attack operations, with operations often divided between formal national security organs, branches of national militaries, and informal state-adjacent (and often criminal) operators. Criminal organizations, similarly, discover and take advantage of vulnerabilities in digital systems to conduct identity theft, steal intellectual property for clients or to sell on black markets, use and monetize vulnerabilities in ransomware campaigns, and otherwise engage in socially deleterious activities.
In aggregate, issues of supply chain management and computer insecurity raise baseline questions of trust: how can we trust that equipment or platforms have not been deliberately modified or exploited to the detriment of Canadian interests? And given the state of computer insecurity, how can we rely on technologies with distributed and international development and production teams? In the rest of this submission, I expand on specific trust-related concerns and identify ways to engender trust or, at the very least, make it easier to identify when we should in fact be less trusting of equipment or services which are available to Canadians and Canadian organizations.
The Canadian SIGINT Summaries includes downloadable copies, along with summary, publication, and original source information, of leaked CSE documents.
Parsons, Christopher; and Molnar, Adam. (2021). “Horizontal Accountability and Signals Intelligence: Lesson Drawing from Annual Electronic Surveillance Reports,” David Murakami Wood and David Lyon (Eds.), Big Data Surveillance and Security Intelligence: The Canadian Case.
Parsons, Christopher. (2015). “Stuck on the Agenda: Drawing lessons from the stagnation of ‘lawful access’ legislation in Canada,” Michael Geist (ed.), Law, Privacy and Surveillance in Canada in the Post-Snowden Era (Ottawa University Press).
Parsons, Christopher. (2015). “The Governance of Telecommunications Surveillance: How Opaque and Unaccountable Practices and Policies Threaten Canadians,” Telecom Transparency Project.
Parsons, Christopher. (2015). “Beyond the ATIP: New methods for interrogating state surveillance,” in Jamie Brownlee and Kevin Walby (Eds.), Access to Information and Social Justice (Arbeiter Ring Publishing).
Bennett, Colin; Parsons, Christopher; Molnar, Adam. (2014). “Forgetting and the right to be forgotten” in Serge Gutwirth et al. (Eds.), Reloading Data Protection: Multidisciplinary Insights and Contemporary Challenges.
Bennett, Colin, and Parsons, Christopher. (2013). “Privacy and Surveillance: The Multi-Disciplinary Literature on the Capture, Use, and Disclosure of Personal information in Cyberspace” in W. Dutton (Ed.), Oxford Handbook of Internet Studies.
McPhail, Brenda; Parsons, Christopher; Ferenbok, Joseph; Smith, Karen; and Clement, Andrew. (2013). “Identifying Canadians at the Border: ePassports and the 9/11 legacy,” in Canadian Journal of Law and Society 27(3).
Parsons, Christopher; Savirimuthu, Joseph; Wipond, Rob; McArthur, Kevin. (2012). “ANPR: Code and Rhetorics of Compliance,” in European Journal of Law and Technology 3(3).