SEE SOMETHING, SAY SOMETHING, GOOGLE IT YOURSELF
CSIS Posted on LinkedIn Asking the Public to Report Foreign Interference. They Didn’t Define It. When Asked, They Described LinkedIn.
This piece was sparked by a LinkedIn post from the Canadian Security Intelligence Service, published April 15th, 2026. CSIS asked the public to report foreign interference. A commenter asked what foreign interference looks like. CSIS replied with a definition that describes the platform they posted it on. This piece also draws on the CSIS Public Report 2024, the “Foreign Interference and You” guidance page on Canada.ca, the CSIS Act definition of foreign-influenced activities, RCMP Commissioner Mike Duheme’s interview on CTV’s Question Period (March 19, 2026), the CSIS statement reported by The Canadian Press (March 3, 2026), and analysis by Canada’s National Observer (March 25, 2026).
Read the CSIS “Foreign Interference and You” page: canada.ca/en/security-intelligence-service/corporate/publications/foreign-interference-and-you
Shadow Tactics IIS Carbon Copy is sponsored by
KlavanSecurity.com
All views expressed belong to Shadow Tactics IIS Carbon Copy and do not reflect the position of any sponsor.
⚠️ Warning Label: This article is about Canada’s intelligence service asking the general public to identify clandestine foreign state operations via social media. Side effects may include re-reading your last LinkedIn connection request with suspicion, reporting your recruiter to a 1-800 number, and wondering whether the government that froze bank accounts over bouncy castles couldn’t find a more serious tool for actual foreign intelligence threats.
THE POST
A Tuesday afternoon. You are on LinkedIn. You are doing what people do on LinkedIn: scrolling past motivational posts from people who describe themselves as “thought leaders,” ignoring three connection requests from recruiters, and pretending you read an article someone in your network shared about supply chain resilience.
Between a promoted post for project management software and someone’s announcement that they are “humbled and excited” to share a career update, Canada’s intelligence service has posted a message.
It has a spy emoji.
“Foreign interference can be a single act, but most often it is a series of activities and behaviours that occur over a period of time,” the post reads. “Think you’ve witnessed it? Contact us.”
You look at the post. You look at the spy emoji. You look at the complete absence of any definition, example, or operational description of what foreign interference actually looks like.
You think: witnessed what, exactly?
THE QUESTION
Someone in the comments asked the obvious question. What does foreign interference look like?
It was a reasonable thing to ask. CSIS had just told 160,000 LinkedIn followers to report something without describing it. That is the equivalent of a fire department posting “Think you’ve seen a fire? Call us” without mentioning heat, smoke, or flames. The assumption appears to be that the average Canadian LinkedIn user possesses an intuitive understanding of clandestine foreign state operations sufficient to identify them in the wild and distinguish them from, say, a Tuesday.
CSIS replied. Here is what Canada’s intelligence service told the public that foreign interference looks like:
“Trying to gather sensitive information through conversations, building relationships to gain favours, using threats or blackmail, spreading distorted or false information, and much more.”
Read that again.
Trying to gather sensitive information through conversations. That is what every salesperson, recruiter, journalist, consultant, and competitive intelligence professional on the platform does for a living. That is what LinkedIn is. The platform is a machine for gathering sensitive information through conversations.
Building relationships to gain favours. That is networking. That is the entire premise of the website they posted this on. Building relationships to gain favours is not a description of foreign interference. It is LinkedIn’s value proposition. It is on the marketing materials.
Spreading distorted or false information. On LinkedIn. Where “serial entrepreneur” means “had three failed startups,” where every layoff is a “new chapter,” and where half the posts in your feed are AI-generated thought leadership about authenticity.
Now, to be fair: these behaviours can be indicators of foreign interference when they are conducted by or on behalf of a foreign state, with intent to harm Canadian interests, as part of a coordinated and clandestine effort. Context is what separates espionage from networking. The problem is that CSIS provided the behaviours without the context, on a platform where those same behaviours are the baseline for normal professional activity. What they gave the public is not a threat briefing. It is a description of LinkedIn, unadorned.
Grumpy Bob: “They posted a warning about suspicious behaviour on a platform built entirely on suspicious behaviour. Gathering information through conversations. Building relationships for favours. Without context, that is not a threat indicator. That is a LinkedIn tutorial.”
WHAT THEY LEFT OUT
Here is what makes this worse. CSIS is not wrong about the behaviours. The problem is how they were communicated, and what was left on the table.
CSIS has an actual, detailed taxonomy of foreign interference methods. Their own 2024 Public Report lists them: elicitation, cultivation, coercion, illicit and corrupt financing, malicious cyber activities, information manipulation, foreign disinformation, and transnational repression.
Their “Foreign Interference and You” page on Canada.ca goes further. It defines transnational repression as including “extrajudicial killing, physical assault, unlawful abduction, physical and online surveillance, and obstruction.” It describes proxy financing of political candidates. It describes cyber operations including spear-phishing and malware deployment against Canadian institutions. It describes state-directed campaigns to silence dissidents through threats against their family members in their home countries.
That is what foreign interference looks like. Foreign states running covert police stations in Canadian cities. A Canadian citizen murdered on Canadian soil with a state-placed bounty on his head. Election interference documented across two federal elections and confirmed by a public inquiry. Billions in intellectual property stolen from Canadian companies over decades with no formal attribution and no sanctions.
None of that made it into the LinkedIn reply. What the public got instead was: conversations, relationships, blackmail, and false information. The version of foreign interference that sounds like a bad date, not a national security threat.
The hard version, the version with the killings and the police stations and the IP theft and the coercion networks targeting diaspora communities, was available on their own website the entire time. They chose to give LinkedIn the soft version. The version that sounds manageable. The version that does not scare anyone. The version that, critically, does not raise the follow-up question: if this is what foreign interference actually looks like, why hasn’t the government stopped it?
Grumpy Bob: “They have a list. Extrajudicial killing. Unlawful abduction. Covert police stations. State-directed surveillance of Canadian citizens. Cyber operations against critical infrastructure. They told LinkedIn about the conversations and the relationships. The parts that sound like networking, not the parts that sound like what they actually are.”
THE CONTRADICTION NOBODY RESOLVED
The timing of this post deserves context, because the weeks leading up to it were not quiet.
On March 3, 2026, a CSIS spokesperson told The Canadian Press that the agency’s threat assessment of the “main perpetrators of foreign interference and espionage against Canada” had not changed. The named perpetrators in the CSIS 2024 Public Report include the People’s Republic of China, India, the Russian Federation, the Islamic Republic of Iran, and Pakistan.
On March 19, 2026, RCMP Commissioner Mike Duheme sat down with CTV’s Question Period host Vassy Kapelos and said something that landed very differently. “In the files that we have that involve transnational repression, we’re not seeing any connection right now with any foreign entity, based on the criminal information, the investigations that we have presently,” Duheme said. He went further: “I’m saying that based on the totality of the files that we have on foreign interference or transnational repression, what we have in our holdings is we have people that are intimidating people, harassing people, but connecting the dots to a foreign entity, regardless of the country, we don’t have that.”
The following day, Global News reporter Stewart Bell confirmed he had received a statement from CSIS reiterating that the agency’s threat assessment had not changed and that foreign interference remains a persistent threat.
These statements may reflect different mandates and different evidentiary thresholds. The RCMP operates on a criminal evidence standard. CSIS operates on an intelligence assessment standard. Those are not the same thing, and a reasonable observer can hold that both statements are technically correct within their respective frameworks.
But to the Canadian public, these statements appear contradictory and unresolved. One federal agency says the threat is persistent and unchanged. The other says it cannot connect the dots to a foreign entity in any current file. Nobody in government has reconciled these positions publicly. The Foreign Interference Commission recommended legislation to bridge the intelligence-to-evidence gap before the next election. That legislation was never passed.
And then, less than four weeks after this contradiction played out in national media, CSIS posted on LinkedIn asking the general public to help identify the thing its own agencies cannot agree is happening.
Public reporting can be a useful intelligence tool. Tip lines exist for a reason. But public reporting works when civilians are given clear, actionable definitions of what they are looking for, paired with an institutional framework that can act on what they provide. Without clarity, the exercise risks becoming performative rather than operational.
Grumpy Bob: “The threats have never been worse. The response has never been softer. We went from ‘never in our combined histories’ to a LinkedIn post with a spy emoji in the same fiscal year. Somewhere between those two statements is the gap where Canadian security actually lives.”
THE EMERGENCIES ACT CONTRAST
In February 2022, the Government of Canada invoked the Emergencies Act in response to the convoy protests in Ottawa. Bank accounts were frozen. Financial surveillance powers were deployed. Crowdfunding platforms were compelled to disclose donor information. The government demonstrated, in public and at speed, that it possesses and will use extraordinary powers against its own citizens when it determines a domestic situation warrants them.
That was the toolkit they reached for when trucks were parked on Wellington Street.
When the threat is documented foreign state operations on Canadian soil, including covert police stations in Toronto, confirmed election interference, state-linked murder of a Canadian citizen, and decades of systematic intellectual property theft, the toolkit they reach for is a LinkedIn post asking you to call a 1-800 number.
The comparison is imperfect. Domestic enforcement and foreign intelligence response operate under different legal frameworks, face different attribution challenges, and carry different escalation risks. Nobody is arguing the government should freeze the bank accounts of a foreign intelligence service. The tools are different because the problems are different.
But the contrast highlights how differently urgency, speed, and institutional will are applied depending on the type of threat. The Emergencies Act response took days. Bank account freezes were operational within a political cycle. The surveillance infrastructure was already in place. The willingness to use it was demonstrated.
Against foreign state actors conducting operations documented across multiple public inquiries, parliamentary reports, and CSIS’s own annual threat assessments, the equivalent visible public action is: a social media post with no actionable definition, a soft reply when questioned, and a phone number.
This is not a capacity problem. The capacity exists. It was demonstrated. The question the contrast raises is about the direction the capacity gets pointed, and why the visible urgency only appears to flow in one direction.
Grumpy Bob: “They froze bank accounts in 72 hours for a domestic protest. For foreign states running intelligence operations in Canadian cities, they posted on LinkedIn. Different legal frameworks, sure. But do not tell me urgency is not a choice. Urgency is always a choice.”
WHAT WOULD SERIOUS LOOK LIKE
Serious would look like the government publishing clear, specific, operationally useful guidance that tells Canadians what to look for, using the actual terminology from their own reports. Not “conversations” and “relationships.” Elicitation. Cultivation. Coercion networks. Proxy financing. Transnational repression. Concrete examples, drawn from documented cases, that give the public a realistic picture of what they might actually encounter and how to distinguish it from normal professional or community activity.
Serious would look like resolving the public contradiction between CSIS and the RCMP before asking civilians to step into the gap. If the two agencies responsible for national security cannot align their public communications on whether the threat is present, asking the general public to adjudicate is not a strategy. It is a gap that should concern Canadians regardless of which agency they find more credible.
Serious would look like enforcement actions against documented foreign state operations that reflect the same institutional urgency demonstrated in 2022. Not eventually. Not through a public inquiry that produces recommendations nobody implements. Not through a LinkedIn post with a spy emoji. Through the tools and powers the government has demonstrated it possesses and is willing to use when it decides a situation warrants them.
Serious would look like an intelligence agency that did not need LinkedIn to find foreign interference, because that is what the intelligence agency exists to do.
Grumpy Bob: “An intelligence agency that needs LinkedIn to find foreign interference is an intelligence agency that has misplaced its purpose. You have human sources. You have warranted collection. You have a classified budget. Use them. The public’s job is to live in a country where the intelligence service does its job. The intelligence service’s job is not to make the public do it for them.”
SOURCES
Canadian Security Intelligence Service LinkedIn Post Published April 15, 2026 linkedin.com/company/canadian-security-intelligence-service-service
“Foreign Interference and You” Canadian Security Intelligence Service • Canada.ca canada.ca/en/security-intelligence-service/corporate/publications/foreign-interference-and-you/foreign-interference-and-you.html
CSIS Public Report 2024: Intelligence Operations Canadian Security Intelligence Service • Canada.ca canada.ca/en/security-intelligence-service/corporate/publications/csis-public-report-2024/intelligence-operations.html
“Carney won’t say whether India is engaged in interference, transnational repression” The Canadian Press • Published March 3, 2026 (Contains CSIS spokesperson statement confirming threat assessment unchanged)
“RCMP commissioner says no threat to Canadians from agents of India’s government” CTV News • Published March 19, 2026 ctvnews.ca/video/2026/03/19/rcmp-commissioner-says-no-threat-to-canadians-from-agents-of-indias-government/
“Ottawa needs to open up on CSIS’ foreign interference claims” Canada’s National Observer • Published March 25, 2026 nationalobserver.com/2026/03/26/opinion/foreign-interference-india-china-iran
ABOUT SHADOW TACTICS
Shadow Tactics IIS Carbon Copy
Security discussions from an ex-CSIS TechOps member. Current news and historical references with a spy and security spin.
All proceeds support The Salvation Army.
Subscribe: klavansec.substack.com