Finding You: The Network Effect of Telecommunications Vulnerabilities for Location Disclosure

November 1, 2023November 1, 2023 / Christopher Parsons

Last week, I published a report with Gary Miller and the Citizen Lab entitled, “Finding You: The Network Effect of Telecommunications Vulnerabilities for Location Disclosure.” I undertook this research while still employed by the Citizen Lab and was delighted to see it available to the public. In it, we discuss how the configuration and vulnerabilities of contemporary telecommunications networks enables surveillance actors to surreptitiously monitor the location of mobile phone users.

The report provides a high-level overview of the geolocation-related threats associated with contemporary networks that depend on the protocols used by 3G, 4G, and 5G network operators, followed by evidence of the proliferation of these threats. Part 1 provides the historical context of unauthorized location disclosures in mobile networks and the importance of the target identifiers used by surveillance actors. Part 2 explains how mobile networks are made vulnerable by signaling protocols used for international roaming, and how networks are made available to surveillance actors to carry out attacks. An overview of the mobile ecosystem lays the foundation for the technical details of domestic versus international network surveillance, while the vectors of active versus passive surveillance techniques with evidence of attacks shows how location information is presented to the actor. Part 3 provides details of a case study from a media report that shows evidence of widespread state-sponsored surveillance, followed by threat intelligence data revealing network sources attributed to attacks detected in 2023. These case studies underscore the significance and relevance of undertaking these kinds of surveillance operations.

Deficiencies in oversight and accountability of network security are discussed in Part 4. This includes outlining the incentives and enablers that are provided to surveillance actors from industry organizations and government regulatory agencies. Part 5 makes clear that the adoption of 5G technologies will not mitigate future surveillance risks unless policymakers quickly move to compel telecommunications providers to adopt the security features that are available in 5G standards and equipment. If policymakers do not move swiftly then surveillance actors may continue to prey upon mobile phone users by tracking their physical location. Such a future paints a bleak picture of user privacy and must be avoided.

Download a ,pdf version of “Finding You: The Network Effect of Telecommunications Vulnerabilities for Location Disclosure

Relaunch of the SIGINT Summaries

January 18, 2023 / Christopher Parsons

In 2013, journalists began revealing secrets associated with members of the Five Eyes (FVEY) intelligence alliance. These secrets were disclosed by Edward Snowden, a US intelligence contractor. The journalists who published about the documents did so after carefully assessing their content and removing information that was identified as unduly injurious to national security interests or that threatened to reveal individuals’ identities.

During my tenure at the Citizen Lab I provided expert advice to journalists about the newsworthiness of different documents and, also, when content should be redacted as its release was not in the public interest. In some cases documents that were incredibly interesting were never published on the basis that doing so would be injurious to national security, notwithstanding the potential newsworthiness of the documents in question. As an element of my work, I identified and summarized published documents and covernames which were associated with Canada’s signals intelligence agency, the Communications Security Establishment (CSE).

I am happy to announce a re-launching of the SIGINT summaries but with far more content. Content, today, includes:

Listings and explanations of hundreds of covernames (e.g., CASCADE, MEMORYHOLE, SPEARGUN, or PUZZLECUBE) that were used by the FVEY, including by Canada, New Zealand, the United Kingdom, and the United States.¹
Summaries of approximately 300 Snowden documents, which have been authored by the Australian, Canadian, New Zealand, United Kingdom, and United States’ signals intelligence agencies.

In all cases the materials which are summarised on my website have been published, in open-source, by professional news organizations or other publishers. None of the material that I summarise or host is new and none of it has been leaked or provided to me by government or non-government bodies. No current or former intelligence officer has provided me with details about any of the covernames or underlying documents. This said, researchers associated with the Citizen Lab and other academic institutions have, in the past, contributed to some of the materials published on this website.

As a caveat, all descriptions of what the covernames mean or refer to, and what are contained in individual documents leaked by Edward Snowden, are provided on a best-effort basis. Entries will be updated periodically as time is available to analyse further documents or materials.

How Were Documents Summarized?

In assessing any document I have undertaken the following steps:

Re-created my template for all Snowden documents, which includes information about the title, metadata associated with the document (e.g., when it was made public and in what news story, when it was created, which agency created it), and a listing of the covernames listed in the document.
When searching documents for covernames, I moved slowly through the document and, often, zoomed into charts, figures, or other materials in order to decipher both covernames which are prominent in the given document as well as covernames in much smaller fonts. The result of this is that in some cases my analyses of documents have indicated more covernames being present than in other public repositories which have relied on OCR-based methods to extract covernames from texts.
I read carefully through the text of the document, sometimes several times, to try and provide a summary of the highlights in a given document. Note that this is based on my own background and, as such, it is possible that the summaries which are generated may miss items that other readers find notable or interesting. These summaries try and avoid editorialising to the best of my ability.
In a separate file, I have a listing of the given agency’s covernames. Using the listed covernames in the summary, I worked through the document in question to assess what, if anything, was said about a covername and whether what was said is new or expanded my understanding of a covername. Where it did, I added additional sentences to the covername in the listing of the relevant agency’s covernames along with a page reference to source the new information. The intent, here, was to both develop a kind of partial covername decoder and, also, to enable other experts to assess how I have reached conclusions about what covernames mean. This enables them to more easily assess the covername descriptions I have provided.
There is sometimes an editorial process which involved rough third-party copyediting and expert peer review. Both of these, however, have been reliant on external parties having the time and expertise to provide these services. While many of the summaries and covername listings have been copyedited or reviewed, this is not the case for all of them.
Finally, the new entries have been published on this website.

Also, as part of my assessment process I have normalized the names of documents. This has meant I’ve often re-named original documents and, in some cases, split conjoined documents which were published by news organizations into individual documents (e.g., a news organization may have published a series of documents linked to AURORAGOLD as a single .pdf instead of publishing each document or slide deck as its own .pdf). The result is that some of the materials which are published on this website may appear new—it may seem as though there are no other sources on the Internet that appear to host a given document—but, in fact, these are just smaller parts of larger conjoined .pdfs.

Commonly Asked Questions

Why isn’t XXX document included in your list of summarised documents? It’s one of the important ones!

There are a lot of documents to work through and, to some extent, my review of them has been motivated either by specific projects or based on a listing of documents that I have time to assess over the past many years. Documents have not been processed based on when they were published. It can take anywhere from 10 minutes to 5 hours or more to process a given document, and at times I have chosen to focus on documents based on the time available to me or by research projects I have undertaken.

Why haven’t you talked about the legal or ethical dimensions of these documents?

There are any number of venues where I have professionally discussed the activities which have been carried out by, and continue to be carried out by, Western signals intelligence agencies. The purpose of these summaries is to provide a maximally unbiased explanation of what is actually in the documents, instead of injecting my own views of what they describe.

A core problem in discussing the Snowden documents is a blurring of what the documents actually say versus what people think they say, and the appropriateness or legality of what is described in them. This project is an effort to provide a more robust foundation to understand the documents, themselves, and then from there other scholars and experts may have more robust assessments of their content.

Aren’t you endangering national security by publishing this material?

No, I don’t believe that I am. Documents which I summarise and the covernames which I summarise have been public for many, many years. These are, functionally, now historical texts.

Any professional intelligence service worth its salt will have already mined all of these documents and performed an equivalent level of analysis some time ago. Scholars, the public, and other experts however have not had the same resources to similarly analyse and derive value from the documents. In the spirit of open scholarship I am sharing these summaries. I also hope that it is helpful for policymakers so that they can better assess and understand the historical capabilities of some of the most influential and powerful signals intelligence agencies in the world.

Finally, all of the documents, and covernames, which are summarised have been public for a considerable period of time. Programs will have since been further developed or been terminated, and covernames rotated.

What is the narrative across the documents and covernames?

I regard the content published here as a kind of repository that can help the public and researchers undertake their own processes of discovery, based on their own interests. Are you interested in how the FVEY agencies have assessed VPNs, encryption, smartphones, or other topics? Then you could do a search on agencies’ summary lists or covernames to find content of interest. More broadly, however, I think that there is a substantial amount of material which has been synthesised by journalists or academics; these summaries can be helpful to assess their accuracy in discussing the underlying material and, in most cases, the summaries of particular documents link to journalistic reporting that tries to provide a broader narrative to sets of documents.

Why haven’t you made this easier to understand?

I am aware that some of the material is still challenging to read. This was the case for me when I started reading the Snowden documents, and actually led to several revisions of reading/revising summaries as I and colleagues developed a deeper understanding for what the documents were trying to communicate.

To some extent, reading the Snowden documents parallels learning a novel language. As such, it is frustrating to engage with at first but, over time, you can develop an understanding of the structure and grammar of the language. The same is true as you read more of the summaries, underlying documents, and covername descriptions. My intent is that with the material assembled on this website the time to become fluent will be massively reduced.

Future Plans

Over time I hope to continue to add to the summaries, though this will continue as a personal historical project. As such, updates will be made only as I have time available to commit to the work.

As of writing, no reviewed Snowden document explicitly discloses an ASD covername. ↩︎

Website Resource Updates

January 10, 2023 / Christopher Parsons

Over the past several months I’ve updated a number of the resources on this website and it’s time to make it a little more apparent to other scholars, experts, and members of the public.

ATIP Repository

As part of my day job at the Citizen Lab I’ve regularly relied on access to information legislation to better understand how the federal government is taking up, and addressing, national security-related issues. It can be difficult for other parties, however, to get access to the same documents given the federal government’s policy of not proactively releasing ATIPs after a year or two.

The result is that scholars and journalists regularly sift through documents that have been released to them for what interests them but they may miss other interesting, or even essential, information that is outside of their interests or expertise. To try and at least somewhat ameliorate that issue I’ve spent the past several months uploading a large number of ATIP releases that I have collected over the past decades. Some were filed by me but the majority were either provided by other scholars or journalists, or retroactively obtained as a re-released package.

The bulk of the ATIPs are associated with CSIS, CSE, and Public Safety Canada. Other agencies and departments include: Department of Justice; Department of National Defence; Employment and Social Development Canada; Global Affairs Canada; Immigration, Refugees and Citizen Canada; Innovation, Science and Economic Development Canada; Office of the Communications Security Establishment Commissioner; Office of the Privacy Commissioner of Canada; Privy Counsel Office; Royal Canadian Mounted Police; Shared Services Canada; Transport Canada; and Treasury Board of Canada.

In many cases I have provided some brief description of things I found notable in the ATIP packages though I have not done so in all cases.

Access ATIP Repository

Order Paper Responses

Under the Canadian parliamentary systems, members of parliament can issue order paper questions to the government. Such questions must be specific and pertain to public affairs. They are typically addressed to government Ministers. The purpose of such questions is to obtain precise or detailed answers and, as such, overly broad questions may be split or broken down to elicit such a response from government agencies. The government is expect to reply within 45 days though this norm is not enforceable by parliament. In the event of parliament being prorogued the Order Paper is cleared and any requests or questions are cancelled.

I have collected a set of Order Paper questions that address issues such as Facial Recognition Technology, mobile device surveillance, data collection by CSIS, disclosures of subscriber information, monitoring of protests, and government interception techniques. None of these Order Paper documents are accompanied by commentary.

Access Order Paper Repository

Canadian Electronic Surveillance Reports

Over the past several years I have undertaken research exploring how, how often, and for what reasons governments in Canada have accessed telecommunications data. As one facet of this line of research I worked with Dr. Adam Molnar and Benjamin Ballard to understand the regularity at which policing agencies across Canada have sought, and obtained, warrants to lawfully engage in real-time electronic surveillance. Such data is particularly important given the regularity at which law enforcement agencies call for new powers; how effective are historical methods of capturing communications data? How useful are the statistics which are tabled by governments?

I have collated the reports which have been published by the provincial and federal governments and, also, noted where provincial governments have failed to provide these reports despite being required to published them under the Criminal Code of Canada. I have not provided any analysis of these reports on this website, aside from a paper I wrote with Dr. Adam Molnar about lawful interception entitled, “Government Surveillance Accountability: The Failures of Contemporary Canadian Interception Reports.”

Access Canadian Electronic Surveillance Reports Repository

Miscellaneous

Finally, I’ve published documents that the RCMP provided to the ETHI Committee concerning its use of On Device Investigative Tools (ODITs), or the malware used by RCMP to gain access to personal devices. These documents were removed from the Committee’s website and so I’ve made them available here, as the were once publicly available materials and remain important for advancing public policy about how and when the RCMP can use these kinds of techniques.

Access ODIT Repository

Minding Your Business: A Critical Analysis of the Collection of De-identified Mobility Data and Its Use Under Socially Beneficial and Legitimate Business Exemptions in Canadian Privacy Law

November 29, 2022November 25, 2022 / Christopher Parsons

Earlier this month Amanda Cutinha and I published a report, entitled “Minding Your Business: A Critical Analysis of the Collection of De-identified Mobility Data and Its Use Under Socially Beneficial and Legitimate Business Exemptions in Canadian Privacy Law.” In it, we examine how the Government of Canada obtained and used mobility data over the course of the COVID-19 pandemic, and use that recent history to analyse and critique the Consumer Privacy Protection Act (CPPA).

The report provides a detailed summary of how mobility information was collected as well as a legal analysis of why the collection and use of this information likely conformed with the Privacy Act as well as the Personal Information Protection and Electronic Documents Act (PIPEDA). We use this conformity to highlight a series of latent governance challenges in PIPEDA, namely:

PIPEDA fails to adequately protect the privacy interests at stake with de-identified and aggregated data despite risks that are associated with re-identification.
PIPEDA lacks requirements that individuals be informed of how their data is de-identified or used for secondary purposes.
PIPEDA does not enable individuals or communities to substantively prevent harmful impacts of data sharing with the government.
PIPEDA lacks sufficient checks and balances to ensure that meaningful consent is obtained to collect, use, or disclose de-identified data.
PIPEDA does not account for Indigenous data sovereignty nor does it account for Indigenous sovereignty principles in the United Nations Declaration on the Rights of Indigenous Peoples, which has been adopted by Canada.
PIPEDA generally lacks sufficient enforcement mechanisms.

We leverage these governance challenges to, subsequently, analyse and suggest amendments to the CPPA. Our report’s 19 amendments would affect:

Governance of de-identified data
Enhancing knowledge and consent requirements surrounding the socially beneficial purposes exemption and legitimate interest exemption
Meaningful consent for secondary uses
Indigenous sovereignty
Enforcement mechanisms
Accessibility and corporate transparency

While we frankly believe that the legislation should be withdrawn and re-drafted with human rights as the guide stone of the legislation we also recognise that this is unlikely to happen. As such, our amendments are meant to round off some of the sharp edges of the legislation, though we also recognise that further amendments to other parts of the legislation are likely required.

Ultimately, if the government of Canada is truly serious about ensuring that individuals and communities are involved in developing policies pursuant to themselves and their communities, ameliorating disadvantages faced by marginalized residents of Canada, and committing to reconciliation with Indigenous populations, it will commit to serious amendments of C-27 and the CPPA. Our recommendations are made in the spirit of addressing the gaps in this new legislation that are laid bare when assessing how it intersects with Health Canada’s historical use of locational information. They are, however, only a start toward the necessary amendments for this legislation.

Executive Summary

The Government of Canada obtained de-identified and aggregated mobility data from private companies for the socially beneficial purpose of trying to understand and combat the spread of COVID-19. This collection began as early as March 2020, and the information was provided by Telus and BlueDot. It wasn’t until December 2021, after the government issued a request for proposals for cellular tower information that would extend the collection of mobility information, that the public became widely aware of the practice. Parliamentary meetings into the government’s collection of mobility data began shortly thereafter, and a key finding was that Canada’s existing privacy legislation is largely ineffective in managing the collection, use, and disclosure of data in a manner that recognizes the privacy rights of individuals. In spite of this finding, the federal government introduced Bill C-27: An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts in June 2022 which, if passed into law, will fail to correct existing deficiencies in Canada’s federal commercial privacy law. In particular, Bill C-27 would make explicit that the government can continue collecting information, including mobility data from private organizations, so long as uses were socially beneficial and without clearly demarcating what will or will not constitute such uses in the future.

This report, “Minding Your Business: A Critical Analysis of the Collection of De-identified Mobility Data and Its Use Under the Socially Beneficial and Legitimate Interest Exemptions in Canadian Privacy Law,” critically assesses the government’s existing practice of collecting mobility information for socially beneficial purposes as well as private organizations’ ability to collect and use personal information without first obtaining consent from individuals or providing them with knowledge of the commercial activities. It uses examples raised during the COVID-19 pandemic to propose 19 legislative amendments to Bill C-27. These amendments would enhance corporate and government accountability for the collection, use, and disclosure of information about Canadian residents and communities, including for so-called de-identified information.

Part 1 provides a background of key privacy issues that were linked to collecting mobility data during the COVID-19 pandemic. We pay specific attention to the implementation of new technologies to collect, use, and disclose data, such as those used for contact-tracing applications and those that foreign governments used to collect mobility information from telecommunications carriers. We also attend to the concerns that are linked to collecting location information and why there is a consequent need to develop robust governance frameworks.

Part 2 focuses on the collection of mobility data in Canada. It outlines what is presently known about how Telus and BlueDot collected the mobility information that was subsequently disclosed to the government in aggregated and de-identified formats, and it discusses the key concerns raised in meetings held by the Standing Committee on Access to Information, Privacy and Ethics. The Committee’s meetings and final report make clear that there was an absence of appropriate public communication from the federal government about its collection of mobility information as well as a failure to meaningfully consult with the Office of the Privacy Commissioner of Canada. The Government of Canada also failed to verify that Telus and BlueDot had obtained meaningful consent prior to receiving data that was used to generate insights into Canadian residents’ activities during the pandemic.

Part 3 explores the lawfulness of the collection of mobility data by BlueDot and Telus and the disclosure of the data to the Public Health Agency of Canada under existing federal privacy law. Overall, we find that BlueDot and Telus likely complied with current privacy legislation. The assessment of the lawfulness of BlueDot and Telus’ activities serves to reveal deficiencies in Canada’s two pieces of federal privacy legislation, the Privacy Actand the Personal Information Protection and Electronic Documents Act (PIPEDA).

In Part 4, we identify six thematic deficiencies in Canada’s commercial privacy legislation:

PIPEDA fails to adequately protect the privacy interests at stake with de-identified and aggregated data despite risks that are associated with re-identification.
PIPEDA lacks requirements that individuals be informed of how their data is de-identified or used for secondary purposes.
PIPEDA does not enable individuals or communities to substantively prevent harmful impacts of data sharing with the government.
PIPEDA lacks sufficient checks and balances to ensure that meaningful consent is obtained to collect, use, or disclose de-identified data.
PIPEDA does not account for Indigenous data sovereignty nor does it account for Indigenous sovereignty principles in the United Nations Declaration on the Rights of Indigenous Peoples, which has been adopted by Canada.
PIPEDA generally lacks sufficient enforcement mechanisms.

The Government of Canada has introduced the Consumer Privacy Protection Act (CPPA) in Bill C-27 to replace PIPEDA. Part 5 demonstrates that Bill C-27 does not adequately ameliorate the deficiencies of PIPEDA as discussed in Part 4. Throughout, Part 5 offers corrective recommendations to the Consumer Privacy Protection Act that would alleviate many of the thematic issues facing PIPEDA and, by extension, the CPPA.

The federal government and private organizations envision the Consumer Privacy Protection Act as permitting private individuals’ and communities’ data to be exploited for the benefit of the economy and society alike. The legislation includes exceptions to consent and sometimes waives the protections that would normally be associated with de-identified data, where such exemptions could advance socially beneficial purposes or legitimate business interests. While neither the government nor private business necessarily intend to use de-identified information to injure, endanger, or negatively affect the persons and communities from whom the data is obtained, the breadth of potential socially beneficial purposes means that future governments will have a wide ambit to define the conceptual and practical meaning of these purposes. Some governments, as an example, might analyze de-identified data to assess how far people must travel to obtain abortion-care services and, subsequently, recognize that more services are required. Other governments could use the same de-identified mobility data and come to the opposite conclusion and selectively adopt policies to impair access to such services. This is but one of many examples. There are similar, though not identical, dangers that may arise should private organizations be able to collect or use an individual’s personal information without their consent under the legitimate interest exemption in the CPPA. Specifically, this exemption would let private organizations determine whether the collection or use of personal information outweighs the adverse effects of doing so, with the individuals and communities affected being left unaware of how personal information was collected or used, and thus unable to oppose collections or uses with which they disagree.

Parliamentary committees, the Office of the Privacy Commissioner of Canada, Canadian academics, and civil society organizations have all called for the federal government to amend federal privacy legislation. As presently drafted, however, the Consumer Privacy Protection Act would reaffirm existing deficiencies that exist in Canadian law while opening the door to expanded data collection, use, and disclosure by private organizations to the federal government without sufficient accountability or transparency safeguards while, simultaneously, empowering private organizations to collect and use personal information without prior consent or knowledge. Such safeguards must be added in legislative amendments or Canada’s new privacy legislation will continue the trend of inadequately protecting individuals and communities from the adverse effects of using de-identified data to advance so-called socially beneficial purposes or using personal information for ostensibly legitimate business purposes.

Download a .pdf version of “Minding Your Business”

Unpacking the CSE’s 2021-2022 Annual Report

July 12, 2022July 12, 2022 / Christopher Parsons

black binocular on round device — Photo by Skitterphoto on Pexels.com

The Communications Security Establishment (CSE) released its 2021-2022 Annual report on June 28, 2022.¹ The CSE is Canada’s leading foreign signals intelligence and cryptologic agency. It is specifically tasked with collecting foreign intelligence, defending government of Canada networks as well as private networks and systems deemed of importance by the government, providing assistance to federal partners, and conducting active and defensive cyber operations.² The CSE operates as a Canadian equivalent to the United Kingdom’s GCHQ.

Five things stood out to me in the annual report:

It provides more details about the kinds of active and defensive cyber operations that the CSE has undertaken while also clarifying when such operations might take place. This information is important given the potentially deleterious or unintended impacts of the CSE exercising these capabilities. It is, however, worth recognizing that the CSE is casting these activities as preventative in nature and does not include a legal discussion about these kinds of operations.
The report extensively discusses threats to critical infrastructure and the activities that the CSE is undertaking to defend against, mitigate, or remediate such threats. Many of the currently voluntary engagements between the CSE and industry partners could become compulsory (or, at a minimum, less voluntary), in the future, should Canada’s recently tabled infrastructure security legislation be passed into law.
We generally see a significant focus on the defensive side of the CSE’s activities, vis-a-vis the Cyber Centre. This obscures the fact that the majority of the agency’s budget is allocated towards supporting the CSE’s foreign intelligence and active/defensive cyber operations teams. The report, thus, is selectively revelatory.
No real discussion takes place to make clear to readers how aspects of the CSE’s foreign intelligence, cybersecurity/information assurance, assistance, or active or defensive cyber operations authorities may interoperate with one another. The result is that readers are left uncertain about how combinations of authorities might enable broader operations than are otherwise self-apparent.
As I raise at several points when analyzing the annual report there are a number of situations where information in the annual report risks concealing the broader range(s) of actions that the CSE may undertake. Readers of the annual report are thus advised to critically assess the annual report and read what it specifically says instead of what it may imply.

In this post, I proceed in the order of the report and adopt the headlines it used to structure content. After summarizing some of the highlight elements in a given section I proceed with a short discussion of the relevant section. The post concludes with a broader assessment of the annual report, what was learned, and where more information is desirable in the future.

Continue reading →

Unpacking NSICOP’s Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack

March 30, 2022April 11, 2022 / Christopher Parsons

grayscale photo of man and woman hacking a computer system — Photo by Tima Miroshnichenko on Pexels.com

On February 14, 2022, the National Security and Intelligence Committee of Parliamentarians (NSICOP) released a report that explored how the Government of Canada sought to defend its systems and networks from cyber attack from 2001 onwards.¹ The report provides a comprehensive account of how elements of the Government of Canada–namely the Treasury Board Secretariat (TBS), Shared Services Canada (SSC) and Communications Security Establishment (CSE)–have developed policies, procedures, and techniques to protect government systems, as well as the iterative learning processes that have occurred over the past two decades or so pertaining to governmental cyber defence activities.

I want to highlight four core things that emerge from my reading of the report:

From an empirical point of view, it’s useful to know that the Government of Canada is preparing both a policy on paying ransomware operators as well as developing a Vulnerabilities Disclosure Policy (VDP) though the report does not indicate when either will be open to public comment or transformed into formal government policy;
A high-level discussion of senior coordination committees is provided, though without an accompanying analysis of how effective these committees are in practice. In particular, the report does not discuss how, as an example, cross-departmental committees are working to overcome problems that are raised in the sections of the report focused on TBS, SSC, or the CSE;
NSICOP maintains that all parties associated with the government–from Crown corporations, to government agencies, to other independent branches of government–should operate under the government’s security umbrella. NSICOP does not, however, make a constitutional argument for why this should be done nor assess the operational reasons for why agencies may not currently operate under this umbrella. Instead, the report narrowly argues there are minimal privacy impacts associated with enjoying the government’s cyber security protections. In doing so, the committee presumes that privacy concerns have driven separate branches of governments to operate outside policies set by TBS, and services offered by SSC and the CSE. At no point did the Committee engage with the Office of the Privacy Commissioner of Canada (OPC) to assess potential privacy issues associated with the government’s cyber security policies and practices; and
NSICOP did not canvas a wide set of government agencies in their interviews and included no external-to-government parties. The consequence is that the report does not provide needed context for why some government agencies refuse to adopt TBS policy guidance or regulations, decline services operated by SSC, or have limited uptake or adoption of advice or technical systems offered by the CSE. The consequence is that this report does nothing to substantively assess challenges in how TBS, SSC, or the CSE themselves are deploying their defensive capacities across government based on the experiences of those on the receiving end of the proffered cyber security and defence offerings.

In this post, I conduct a deep dive into NSICOP’s report, entitled “National Security and Intelligence Committee of Parliamentarians Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack.” Throughout, I summarize a given section of the report before offering some analysis of it. In the conclusion of this post I summarize some of the broader concerns associated with the report, itself, as well as the broader implications these concerns may have for NSICOP’s long-term viability as an independent reviewer of the national security community.