If Canadian spies found a flaw in the iPhone, would they tell Apple? Make the policy public, critics say

When Canada's electronicspy agency finds a security flaw in a widely usedoperating systemor a much-loved messaging app, what it does next is anyone's guess. Does it report the flaw to the software's developer so that it can be fixed? Or is knowledge of the flaw saved for the future, whenit can be exploited by the agency's spies to gather intelligence?

The Communications Security Establishment (CSE) hasa policy governing this processbutwon't disclose or discuss it.Asthe government attempts to introduce sweeping changes to the country'snational security laws with new powers for agencies like the CSE there are calls from both experts and the oppositionforthat shadowy policy to be laid bare.

The CSEhas its own"panel of experts" from across the agency that meets "regularly" to review and assess software vulnerabilities,a spokesperson told CBCNews last year, though he declined to elaborate further on the agency's review policy.

NDP MP MatthewDubis one critic who says that has to change.

"I think that they do have a responsibility to provide that kind of information," Dubsaid in an interview with CBCNews.

Dub, who is the party's public safety critic, acknowledged that some information may have to be withheld for national security reasonsbutsaid there should also be a way to providemore transparency to Canadians on how software vulnerabilities are handled "especially if we're seeing our allies partake in a similar exercise," he said.

In the U.S., a policy called the Vulnerabilities Equities Process determines what agencies such as the FBI or NSA should do when they discover or acquire knowledge of previously unknown vulnerabilities. The reviews include input from law enforcement and military as well ascivilian agencies, such as the departments of Commerce, Energy, and State.

Previous versions of the policy were not publicly available and had to be obtained via Freedom of Information lawsuits. The most recent policy wasreleased by the governmentlast November, and requires an annual, partly unclassified reporton outcomes of the review process.

In recent weeks, Dubhas been spending much of his time before the House of Commons standing committee on public safety and national securityseeking clarity on the expanded powers proposed in the Liberal government's new national security legislation, Bill C-59.

"When we're broadening legislation in order to offer these agencies more powers,understanding more about what kind of policies they have in place and how they're going to behave with those powers I think we have a right to know ...what exactly that entails," Dub said. "And as far as I'm concerned, we just don't have that right now."

Holding CSE accountable

Different parts of CSE can, at times, be working at cross purposes. Where one group might be trying to infiltrate a foreign target's smartphoneby exploiting a newly discovered software flaw, another might argue the flaw should be patched before others discover it firstand potentially use itagainst Canadians.

In Canada, it's not clear which types of vulnerabilities prompt reviews, how many vulnerabilities have been assessed or whether CSE engages other government agencies in its reviews. The spy agency declined to provide a copy of the policy that describes how the process works.

CSEis unable to provide any further details about operational specifics.- Ryan Foreman, spokesperson

"As previously noted, CSE has a rigorous process in place to assess and review vulnerabilities," CSE spokesperson Ryan Foreman wrote in an emailed statement to CBCNews. "This is a standardized decision-making process which allows CSE to responsibly manage equities associated with identified vulnerabilities in a way that puts the safety and security of Canada and Canadians first.

"CSE is unable to provide any further details about operational specifics," Foreman said.

Researchersat theUniversity of Toronto's Citizen Labhaveargued that without more information about the agency's policy, it is impossible to know how the agency balances its responsibility to protect Canadians with its mandate to collect foreign intelligencelet alone "hold the establishment accountable if policies which inappropriately restrict responsible disclosure fail to serve the public interest."

In an analysis of BillC-59published last month, the researchers argued that such a policy should be made public if not enshrined as part of thebill and that the outcomes of reviews should be released regularly to the public, to the greatest extent possible.

"In the absence of a clear framework for how, when and whether vulnerabilities are disclosed, there is no way for industry or the public to understand under what conditions theCSEwould decide to keep such discoveries secret for its own purposes," the Citizen Lab report reads.

When asked if the government's proposed National Security and Intelligence Review Agency (NSIRA) would oversee CSE's vulnerabilities process and be provided with regular reports, Foreman would say only that all of CSE's activities would be subject to review if Bill C-59 is passed.

Dub saysthe lack of transparency has madeit difficult for Canadians to understand what, exactly, it is that the CSE does.But as far asthe agency's handling of software vulnerabilities goes, it'sDub's hope that the"new oversight mechanisms being proposed will help in some way."