research

Canadian National Security Assessment Rules Endanger Scholarly Research

/ Christopher Parsons
laboratory equipment on table
Photo by Karolina Grabowska on Pexels.com

On July 14, 2021 I published an opinion article in the Globe & Mail, entitled there as, “The new security research rules threaten universities’ ability to be open and inclusive“. The article is republished, in full, below.

On Monday, the Canadian government imposed mandatory national security risk assessments on scholarly research. The new rules apply to projects that receive funding from the Natural Sciences and Engineering Research Council (NSERC) and involve foreign researchers or private-sector organizations. The stated intent of the assessments is to prevent intellectual property from being stolen and ensure that Canadian researchers do not share industrial, military or intelligence secrets with foreign governments or organizations to the detriment of Canadian interests. But they will chill research and scholarly training, accentuate anti-immigrant biases and may amplify national security problems.

In brief, these assessments add an analysis of national security issues into the process of funding partnerships by compelling researchers to evaluate whether their work is “sensitive.” Cutting-edge topics that are considered sensitive include artificial intelligence, biotechnology, medical technology, quantum science, robotics, autonomous systems and space technology. Amongst other criteria, researchers must also assess risks posed by partners, including whether they might disclose information to other groups that could negatively affect Canada’s national security, whether they could be subject to influence from foreign governments or militaries, or if they lack clear explanations for how or why they can supplement funding from NSERC.

If a researcher or their team cannot state there are no risks, they must itemize prospective risks, even in cases where they must speculate. Mitigation processes must explain what security protocols will be established, how information might be restricted on a need-to-know basis, or how collaborators will be vetted. Government documents specifically warn researchers to take care when working with members of the university research community, such as contractors, employees or students.

Whenever research is assessed as raising national security concerns, it may be reviewed by NSERC and Canada’s national security agencies, and research programs may need to be modified or partners abandoned before funding will be released.

These assessments will chill Canadian research. Consider Canadian university professors who are working on artificial intelligence research, but who hold Chinese citizenship and thus could potentially be subject to compulsion under China’s national security legislation. Under the assessment criteria, it would seem that such researchers are now to be regarded as inherently riskier than colleagues who pursue similar topics, but who hold Canadian, American or European citizenship. The assessments will almost certainly reify biases against some Canadian researchers on the basis of their nationality, something that has become commonplace in the United States as Chinese researchers have increasingly been the focus of U.S. security investigations.

Students who could potentially be directly or indirectly compelled by their national governments may now be deemed a threat to Canada’s national security and interests. Consequently, international students or those who have families outside of Canada might be kept from fully participating on professors’ research projects out of national security concerns and lose out on important training opportunities. This stigma may encourage international students to obtain their education outside of Canada.

These assessments may create more problems than they solve. Some Canadian researchers with foreign citizenships might apply for foreign funding to avoid national security assessments altogether. But they may also be motivated to conceal this fact for fear of the suspicion that might otherwise accompany the funding, especially based on how their American counterparts have been targeted in FBI-led investigations. Foreign intelligence services look for individuals who have something to hide to exploit such vulnerabilities. In effect, these assessments may amplify the prospect that researchers will be targeted for recruitment by foreign spy agencies and exacerbate fears of foreign espionage and illicit acquisition of intellectual property.

What must be done? If the government insists on applying these assessments, then NSERC must commit to publishing annual reports explaining how regularly research is assessed, the nature of the assessed research, rationales for assessments and the outcomes. Canada’s national security review agencies will also have to review NSERC’s assessments to ensure that the results are based in fact, not suspicion or bias. Researchers can and should complain to the review agencies and the news media if they believe that any assessment is inappropriate.

Ultimately, Canadian university leaders must strongly oppose these assessments as they are currently written. The chill of national security threatens to deepen suspicions towards some of our world-leading researchers and exceptional international students, and those running universities must publicly stand up for their communities. Their universities’ status as being open and inclusive – and being independent, world-leading research bodies – depends on their advocacy.

A Predator in Your Pocket : A Multidisciplinary Assessment of the Stalkerware Application Industry

/ Christopher Parsons

With a series of incredible co-authors at the Citizen Lab, I’ve co-authored a report that extensively investigates the stalkerware ecosystem. Stalkerware refers to spyware which is either deliberately manufactured to, or repurposed to, facilitate intimate partner violence, abuse, or harassment. “A Predator in Your Pocket” is accompanied by a companion legal report, also released by the Citizen Lab. This companion report is entitled “Installing Fear: A Canadian Legal and Policy Analysis of Using, Developing, and Selling Smartphone Spyware and Stalkerware Applications,” and conducts a comprehensive criminal, civil, regulatory, and international law assessment of the legality of developing, selling, and using stalkerware.

Continue reading

Citizen Lab and CIPPIC Release Analysis of the Communications Security Establishment Act

/ Christopher Parsons

The Fifth Eye by Dustin Ginetz (CC BY-NC-SA 2.0) https://flic.kr/p/id9KHn

It’s with real pleasure that I can announce that the Citizen Lab and the Canadian Internet Policy & Public Interest Clinic (CIPPIC) have collaborated to produce a report which provides timely legal analysis, political context, and historical background on the Communications Security Establishment Act and related provisions in Bill C-59 (An Act respecting national security matters), First Reading (December 18, 2017).  We hope that this resource will help members of parliament, journalists, researchers, lawyers, and civil society advocates engage more effectively on the issues at stake. Our report represents an analysis of the legislation as it enters political debate in Canada, and should be understood in the context of a rapidly evolving legal and political landscape.

The Communications Security Establishment (“the CSE” or “the Establishment”) is Canada’s national signals intelligence and cybersecurity agency. In the course of our analysis, we summarize the CSE’s mandate, activities, operations, and powers, with an emphasis on their potential implications for human rights and global security. We also offer a series of recommendations which, if adopted, would ensure a more legally sound framework for the CSE, better protect global security interests in a rapidly changing technological environment, and more effectively account for Canada’s domestic and international human rights obligations.

In Section I, we provide a brief overview of the CSE’s current mandate and certain controversial activities undertaken as part of that mandate. We also provide a high-level overview of Bill C-59 and its primary implications for the CSE.

In Section II, we undertake a detailed analysis of key issues arising from Bill C-59 related to the CSE, focusing on aspects with the most critical implications for human rights, political transparency, and global security. In particular, some of the issues we highlight in the legislation relate to:

  • Longstanding problems with the CSE’s foreign intelligence operations, which are predicated on ambiguous and secretive legal interpretations that legitimize bulk collection and mass surveillance activities. These activities both attract Charter protections and engage Canada’s human rights obligations.
  • The complete lack of meaningful oversight and control of the CSE’s activities under the proposed active and defensive cyber operations aspects of its mandate.
  • The absence of meaningful safeguards or restrictions on the CSE’s active and defensive cyber operations activities, which have the potential to seriously threaten secure communications tools, public safety, and global security.
  • The absence of meaningful safeguards or restrictions on the CSE’s activities more generally. As drafted, the CSE Act appears to include a loophole which would allow the Establishment to cause death or bodily harm, and to interfere with the “course of justice or democracy,” if acting under its foreign intelligence or cybersecurity powers while prohibiting these outcomes under its new cyber operation powers.
  • The risk that the CSE’s cybersecurity and assurance operations for the federal government could threaten independence of the courts or the separation of powers.
  • Concerns regarding the framework for the CSE’s acquisition of malware, spyware and hacking tools, which may legitimize a market predicated on undermining and subverting, rather than strengthening, the security of the global information infrastructure.
  • Serious issues related to the CSE’s provision of technical and operational assistance to other entities—including Canadian law enforcement—which may lead the CSE to proffer capabilities that would otherwise be illegal or unconstitutional for domestic partners to develop, use or possess, or which would be inherently disproportionate if deployed in those contexts (e.g., in policing operations).
  • Potential issues with the National Security Intelligence Review Agency’s ability to access foreign-provided information, and the risk of regulatory capture through its hiring policies.
  • Serious shortcomings—both legal and practical—in the role of the Intelligence Commissioner, which does not resolve the constitutional challenges surrounding the current CSE Commissioner or the constitutionality of the CSE’s activities more generally.
  • The Intelligence Commissioner’s inability to exercise meaningful and comprehensive oversight and control over the CSE’s activities (including its most problematic activities) due to an under-inclusive mandate, issues of independence, and insufficient powers of a quasi-judicial nature.
  • Weak and vague protections for the privacy of Canadians and persons in Canada, alongside an abject disregard for privacy rights as an international human rights norm.
  • Extraordinary exceptions to the CSE’s general rule against “directing” activities at Canadians and persons in Canada significantly expand the CSE’s ability to use its expansive powers domestically.
  • A general failure to recognize that the highly interconnected and interdependent nature of the global information infrastructure means that protections or limits on the CSE’s powers that begin and end at national boundaries are insufficient to protect Canada’s security interests.
  • Deep tensions at the core of the CSE mandate, which requires the Establishment to both protect and defend against security threats while simultaneously exploiting, maintaining, and creating new vulnerabilities in order to further its foreign intelligence agenda. These tensions are exacerbated by the introduction of new offensive powers and the two new aspects of its mandate.
  • A lack of legal clarity regarding how, when, and whether vulnerabilities discovered by the CSE are disclosed to vendors or the public, and how the CSE accounts for the public interest in the process.
  • The lack of oversight or reporting requirements for “arrangements” with equivalent agencies to the CSE in foreign jurisdictions. There is a risk that these partnerships could involve receipt of information derived from torture or other activities that would be unlawful or unconstitutional if conducted by a Canadian agency.

In Section III, we summarize recommendations emerging from our analysis for committee members and other members of Parliament studying the proposed CSE Act. In particular, we make recommendations to improve systems of review, oversight, and control of the CSE and to constrain the CSE’s ability to engage in activities that are problematic, abusive, unconstitutional, or in violation of international human rights norms.

Download a copy of “Analysis of the Communications Security Establishment Act and Related Provisions in Bill C-59 ( An Act respecting national security matters ), First Reading (December 18, 2017)

Towards Transparency in Canadian Telecommunications

/ Christopher Parsons / 2 Comments

Ethernet CablesTelecommunications services providers that offer Internet and phone service play central roles in the daily lives of Canadians. The services that these companies provide are essential for contemporary living; we rely on these services to access our email, make or receive our phone calls and text messages, check and update our social media feeds, and figure out how to get where we are going by way of GPS. Our lives are predominantly channeled through these companies’ digital networks, to the extent that Canadian telecommunications service providers are functionally the gatekeepers Canadians must pass by before accessing the Internet, or phone networks, at large. Today, Canadian scholars and civil liberties organizations have come together to ask that many of Canada’s most preeminent telecommunications companies disclose the kinds, amounts, and regularity at which state agencies request telecommunications data pertaining to Canadians.

Canadian state agencies often request access to the subscriber and telecommunications data held by these Canadian companies, as befits the companies’ privileged roles in our lives. [1] Sometimes access is gained using a court order, sometimes it is not. Sometimes requests are for circumspect amounts of information, and other times for greater volumes of data. To date, however, interested Canadians have had only vague understandings of how, why, and how often Canadian telecommunications providers have disclosed information to government agencies. Given the importance of such systems to Canadians’ lives, and the government’s repeated allegations that more access is needed to ensure the safety of Canadians, more data is needed for scholars, civil rights organizations, and the public to understand, appreciate, and reach informed conclusions about the legitimacy of such allegations.

Our call for telecommunications transparency is in line with actions taken in the United States, where politicians such as Representative Markey have successfully asked telecommunications service providers to explain the types of requests made by American state agencies for telecommunications data, the regularity of such requests, and the amounts of data disclosed. [2] Moreover, American companies are developing more and more robust ‘transparency reports’ to clarify to their subscribers how often, and on what grounds, the companies disclose subscriber information to American state authorities. There is no reason why similar good practices cannot be instantiated in Canada as well.

Over the past decade, Canadians have repeatedly heard that law enforcement professionals and state security agents need enhanced access to telecommunications data in order to go about their jobs.[3] And Canadians have read about how our own signals intelligence service, the Communications Security Establishment Canada, has been and continues to be involved in surveillance operations that ‘incidentally’ capture Canadians’ personal information. [4] Despite these developments in Canada, there is not a substantially greater degree of actual transparency into how and why Canadian telecommunications service providers disclose information to agents of the Canadian government.

It is in light of this ongoing lack of transparency surrounding telecommunications providers’ disclosure of information to state authorities that we, a series of academics and civil rights groups, have issued public letters to many of Canada’s largest or most significant Internet and mobile communications providers. We hope that Canada’s telecommunications community will welcome these letters in the spirit they are intended: to make clearer to Canadians the specific conditions under which the Canadian government can and does access telecommunications information pertaining to Canadians, the regularity at which such access is granted, and the conditions under which telecommunications companies disclose information to state agencies.

The responses to these letters will enable superior scholarly analyses of Canadian state agency practices, evaluations of proposed federal legislation, and analysis of government agencies to currently access data that is held or transmitted by Canadian telecommunications companies. These responses will also better comparisons between the Canadian and American situations; too often, scholars, advocates, and policy analysts have been forced to transpose American realities onto what might be occurring in Canada. With real Canadian data in hand, it will be possible to more affirmatively differentiate between the state surveillance practices in Canada and the US, as well as to assess existing and proposed mechanisms that state agencies use to access telecommunications data pertaining to Canadians.

These letters were issued by letter mail and, where possible, by e-mail on January 20, 2014. We have requested that the companies respond, or provide a commitment to respond, by March 3, 2014. Below are .pdf copies of the letters that we sent; we look forward to hearing back from the recipients.

Letters sent to Canadian telecommunications service providers

  1. Nicholas Koutros and Julien Demers, “Big Brother’s Shadow: Historical Decline in Reported Use of Electronic Surveillance by Canadian Federal Law Enforcement,” SSRN, February 3, 2013, accessed December 13, 2013, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2220740; Andrea Slane and Lisa Austin, “What’s in a Name? Privacy and Citizenship in the Voluntary Disclosure of Subscriber Information in Online Child Exploitation Investigations,” Criminal Law Quarterly (57) (2011); Ian Kerr and Daphne Gilbert, “The Role of ISPs in the Investigation of Cybercrime,” in Information Ethics in the Electronic Age: Current Issues in Africa and the World, ed. Johannes J. Britz and Tom Mendina (Jefferson, North Carolina: McFarland & Company Inc, 2004).  ↩
  2. Eric Litchblau, “More Demands on Cell Carriers in Surveillance,” New York Times, July 8, 2012, accessed January 19, 2014, http://www.nytimes.com/2012/07/09/us/cell-carriers-see-uptick-in-requests-to-aid-surveillance.html; Brian X. Chen, “A Senator Plans Legislation to Narrow Authorities’ Cellphone Data Requests,” New York Times, December 9, 2013, accessed January 19, 2014, http://www.nytimes.com/2013/12/09/technology/a-senator-plans-legislation-to-narrow-authorities-cellphone-data-requests.html.  ↩
  3. Jesse Kline, “Vic Toews draws line on lawful access: You’re with us, or the child pornographers,” National Post, February 14, 2012, accessed January 19, 2014, http://fullcomment.nationalpost.com/2012/02/14/vic-toews-draws-line-on-lawful-access-youre-with-us-or-the-child-pornographers/; Jane Taber, “New cyberbullying laws should pass this spring, Justice Minister says,” The Globe and Mail, January 9, 2014, accessed January 19, 2014, http://www.theglobeandmail.com/news/politics/new-cyberbullying-laws-should-pass-this-spring-justice-minister-says/article16253334/.  ↩
  4. Ian MacLeod, “Spy agency admits it spies on Canadians ‘incidentally’,” Ottawa Citizen, January 6, 2014, accessed January 19, 2014, http://www.ottawacitizen.com/news/agency+admits+spies+Canadians+incidentally/9356255/story.html.  ↩

[box style=”blue”]Note: This post first appeared on the Citizen Lab website[/box]

Call for Assistance: A Broadband Analysis Tool

/ Christopher Parsons / 2 Comments

3096166092_da7bcf9997_bCommunications systems are integral to emerging and developed democracies; the capability to rapidly transmit information from one point to another can help fuel revolutions and launch information campaigns about unpopular decisions to ‘meter’ the Internet. In foreign nations and at home in Canada we regularly see ISPs interfere with transmissions of data content. Both abroad and at home, researchers and advocates often have difficulties decoding what telecom and cableco providers are up to: What systems are examining data traffic? How is Internet access distributed through the nation? Are contractually similar data plans that are sold in different geographic regions providing customers with similar levels of service?

To date, Canadian advocates and researchers have been limited in their ability to draw on empirical data during major hearings at the CRTC. This makes research and advocacy challenging. Over the past several years, researchers, advocates, counsel, and members of industry that I’ve spoken to have complained that they need hard data. (It’s a gripe that I’ve stated personally, as well). With your help, numbers will be on the way. Continue reading