OTTAWA—Canada’s electronic spies are being asked to consider the damage their operations could have on Canada’s reputation if the public were to find out about them.

The Communications Security Establishment’s updated “risk framework” asks their employees to weigh the benefits of electronic eavesdropping against the damage it could cause to Canada’s reputation and Canadian public opinion.

“Foreign entities… and the Canadian public have expectations about legitimate or acceptable (signals intelligence) conduct,” stated the risk framework, released under access to information law.

“It is important to consider how an activity would reflect on CSE and Canada’s reputation in comparison to what we say we do. Activity perceived as violating these norms could undermine CSE’s legitimacy with the public and create diplomatic pressure on the Canadian government.”

The document lists three examples where CSE operations could damage the government’s reputation, including:

Using its sophisticated spying technology to gain commercial advantages for Canadian companies — the kind of economic espionage Western nations routinely criticize China for participating in.

Turning CSE eyes on people, groups or nations not considered to be a threat to Canada.

Using tools or computer vulnerabilities, such as unpatched bugs in consumer software, that weaken Canadians’ online security.

That spying comes with reputational risks will not be news to anyone at CSE. The agency was thrust into the public spotlight in 2013 after Edward Snowden leaked details about how the Five Eyes security alliance — which includes Canada — operates in the online world, creating an international backlash against the agencies.

But the document shows that in the post-Snowden environment, CSE is sensitive to some of the public relations issues – and political realities – of their new, more public role.

The document makes clear the agency is keenly aware of the risks if its spying is perceived as offside.

Bill Robinson, who researches CSE’s history and current operations, said the agency has to walk a delicate line between encouraging their staff to take risks while protecting the agency from scandal.

“They want to encourage risk taking, because it’s a kind of business where you don’t get much (intelligence) if you’re not pushing the edge of what’s possible, although it’s possible that sometimes you’re going to get caught or its going to fail,” Robinson, who works with the Citizen Lab at the University of Toronto.

“They want to encourage failure, in that sense, not to be afraid to fail. But at the same time, obviously, they want to control the consequences of failure. They want to understand that so they can make the appropriate decisions on when to take a risk.”

The Star requested an interview with CSE to discuss the framework on Monday. As of Tuesday afternoon, nobody with the agency was available.

In a statement, a spokesperson for CSE said that the risk framework, written in January 2018, is simply a formalization of the kind of considerations the agency has weighed for decades.

Loading... Loading... Loading... Loading... Loading... Loading...

“Risk management, including considerations of reputational risk, has always been an essential part of CSE’s foreign signals intelligence operations,” wrote CSE spokesperson Ryan Foreman in an email to the Star.

“In its design, the framework recognizes that the unique context and objectives of each operational scenario is important to consider when assessing risk, and so it is not possible to assess specific operational risks absent this information.”

Read more about: