Bill C-59 (Historical)

Thank you.

It's of critical concern to civil libertarians that the public understand that collection, incidental or otherwise, of personal information into national security agencies is not innocuous. In part because we do have these alliances, information sharing does flow in ways that are potentially problematic for those individuals, even with the notion that perhaps we're not exploiting it and perhaps we're not using it.

We're going to try to give assurances, but we don't know what's being used in terms of exploitation. We know it's everything from network mapping to profiling, which has been identified as a huge problem. It definitely resonates with Canadians as a threat to their own personal security. All those aspects of trying to figure out what the jeopardy is for this collection, use, retention, and exploitation are critical. It's critical to figure out those tentacles and ensure that we have mechanisms that are not merely paper mechanisms when we say we have measures. What are those measures? How do we know where they work? Do they cover off all the aspects?

Those are aspects behind the curtain that goes on with national security that most Canadians cannot see. We've come to have reason to distrust, because we haven't seen, for example, the simple definitions for things that would allow us to have the insight that we should have for democratic accountability.

When we see failures of definitions in Bill C-59 around things like publicly available information, to pick up my colleague's point, and a national security agency can acquire data through a data broker using the kinds of techniques that were just being described and ingest that into a system in which information may get shared with allies abroad, you can see the magnification effect of the impact on security of individuals—not national security, but personal security—in relation to all of those data practices.

People are not as alive as we would like them to be to these threats, but they're increasingly alive that these are the problems, as you illustrate.

In my time at CSIS, although now dated—it's been almost six years since I left—when I was responsible for the counterterrorism operations team, a number of charges were difficult in this even more complex choreography around intel-into-evidence. In other words, we were proceeding against certain targets that met the CSIS threshold of reason to suspect, versus then transferring some information protecting sources. Of course, Bill C-59 provides new tools to assist with that in some respects.

However, many operational opportunities were left wanting, first because we had difficulty transitioning information from intelligence into usable evidence, and secondly because, quite often, I found the perspective of crown prosecutors was always extremely cautious. As a Canadian, I think that's very important, because it adds one more check and balance, definitional things, so that we essentially have a prosecutorial system that is inclined to ensure that there is very little chance this prosecution could not proceed successfully. More often than not, cases ended up dropping below the threshold, even though perhaps in another jurisdiction—south of the border, as one example—they would have proceeded full guns.

Thank you very much, Mr. Chairman, and thanks for this opportunity to speak to everybody today.

As you know, I am the provincial security advisor for Ontario. I began this role in January of 2017. Prior to that, I spent almost five years as a consultant to private and public organizations in the area of national security-related risks, including cyber-threats. Prior to that, I was with the Canadian Security Intelligence Service, CSIS, and left that organization in 2012 as the assistant director.

As a result of joining CSIS at its inception in 1984, I've witnessed a tremendous number of milestones that shaped Canada's security intelligence environment, more specifically in regard to the organizations that are central to Canada's threat response.

At this moment, we find ourselves yet again at the cusp of change, and obviously important change. Although the CSIS Act has been widely viewed as a model of effective security intelligence legislation, it has required renovation from time to time, perhaps not so much due to any particular failings but rather to the necessity of changing times socially, culturally, politically, and, now more than ever, technically.

Of all the elements of import in Bill C-59, it is time to consider essential changes for an organization that I did not work for but to which I maintained important operational connectivity over many years. It is time for CSE to have its own enabling legislation, as its current mandate is 16 years old.

Most critical to that transformation of mission and mandate is the area related to cyber-threats. Canada must now join the community of like-minded nations determined to resist the growing threat of globalized criminal enterprise, nation-state-directed theft of intellectual property or interference in our society, and the potential for catastrophic destruction of critical infrastructure, be it the result of fifth-dimensional warfare or terror attack. We must support and connect and keep pace with our allies, from Australia to the EU. They themselves have recognized the nature of this new 21st century threat environment.

The nations that do not support or believe in these values certainly have discovered the benefits of hybrid or fifth-domain warfare. They are extremely active in targeting our key infrastructure and our future prosperity through the theft of the best and most important intellectual property the country has to offer. They've also noted the ease and the immediate benefits of undermining our democratic processes by undermining people's trust in institutions, as well as our ability to conduct respectful and constructive dialogue.

There are a number of areas to explore in this discussion today, but first let me say that I've also been a long-serving and vocal advocate of increased accountability for the security intelligence community. The establishment of the National Security and Intelligence Committee of Parliamentarians and the National Security and Intelligence Review Agency will now meet the majority of my concerns on the need to enhance accountability and transparency across the security establishment.

However, as part of my opening proposition, let me now address more directly aspects of the threat and our need to effectively respond to that reality.

We live in unprecedented times. Never in my career, which has spanned a little over three decades, have I perceived such a set of local and global challenges, from climate change and food security to irregular migration and unprecedented numbers of refugees, as well as social and political upheaval, nuclear threats, and shifting global hegemony. Threat actors from around the globe now target Canada with ease. Conversely, Canadians with the intent to harm others or target Canadian interests abroad can now operate from far-flung regions of the world, not just from typical conflict zones.

In this security intelligence equivalency of globalization, it is critically important that CSE continue to support CSIS, the Department of National Defence, and law enforcement agencies in the pursuit of lawful investigations or mission requirements wherever threats may emerge around the world. Whether that means assisting CSIS to collect intelligence on an emerging violent extremist network targeting Canadian travellers or diplomats abroad, assisting the Canadian Forces in the protection of a deployed unit delivering training, or perhaps even helping the RCMP bring human traffickers to justice, we need to provide the best available toolsets. The tools or capabilities I'm suggesting here are ones that only our signals intelligence organizations can provide.

Equally important, and I believe critical, is that we rely on Canadian-controlled and accountable capabilities rather than on the efforts or competencies of other nations that may not share our full set of standards and intentions.

With respect to part 3 of the bill, specifically dealing with cybersecurity and information assurance, let me say that as the provincial security advisor for Ontario, I am concerned most about this area, the cyber-threat targeting our vast investments in critical infrastructure.

Outside of the protection of intellectual property from either front-door or backdoor acquisition, what is key to our current and future prosperity is the protection of life-sustaining critical infrastructure assets, be they publicly owned or in private hands. Therefore, the enhanced ability for CSE to provide assistance towards protecting our critical infrastructure is vital for Ontarians and, I dare say, for all Canadians.

I believe this to be true because we now exist in a hazardous environment where 400-plus new malware threats are produced every minute and where ransomware attacks a person somewhere in the world every 10 seconds. As localized proof, the Government of Ontario’s cybersecurity operations team manages approximately 40 billion security events per month. Yes, that's billions per month. Although we are within industry norms, over 90% of the emails the Ontario public service receives are blocked due to botnet or spam threats.

With respect to defensive cyber operations, I believe that only CSE can bring to bear the technology, know-how, and library of threat-related data necessary to build effective cybersecurity resilience so necessary in this kind of environment. From conversations I've had with private industry and with large independent agencies of government, such as those involved in energy, health care, education, and transportation, I know that all feel the effects of constant cyber-threats. In essence, we and they can no longer do this alone. It is a global threat phenomenon requiring a national-level strategy and capability.

With regard to active cyber operations, let me simply say that the best defence always begins with a good offence. When more than five dozen countries around the world are reported to be actively developing cyber-operational capabilities, in my view, we must develop offensive cybersecurity measures to respond, and on certain occasions that means beyond our borders.

Offensive cyber-tactics have been developed and are being applied by the best private security firms in the world. Engaging the so-called dark web or darknet to gather intelligence in advance of an attack and to protect systems, such as those in the financial sector, has been the norm for some time. I know that because I've worked directly in that sector. When the time comes to face a targeted attack intended to manipulate the operating systems of an energy facility to cause a malfunction or perhaps even to destroy something, as we’ve seen in cases from Ukraine to Germany and even New York State, we will need CSE to “degrade, disrupt, influence, respond to or interfere with the capabilities [or] intentions” of those threat actions or their actors.

More commonly, and as another example, the frequency and prowess of so-called denial of service attacks or DDoS events are intensifying. One day soon, I predict, CSE will be required to assist a Canadian service provider or a subnational level of government to repel a massive DDoS attack.

With the advent of the Internet of things, we’ve already seen or witnessed botnets created out of smart devices being harnessed to launch attacks of one terabyte per second against institutions typically associated with information sharing, anti-spamming facilities, social networks, human rights workers, and mainstream media. Rest assured that this will only get worse, especially when we are facing autocratic regimes around the world that have no inhibitions.

On the issue of changing times, my current role as provincial security advisor is an important example of how the world has changed and how Canada’s view of itself and how it operates must also change. Ontario is but one of 14 core jurisdictions in this country. By itself, Ontario’s economy would rank 18th in a G20 context. No doubt, like Ontario, all subnational jurisdictions are conscious of the multitude of threats that continue to adversely affect prosperity and security.

To my mind, an effectively legislated security establishment that balances security requirements with accountability, transparency, and respect for the rights of Canadians is indeed the blueprint for our future success as a nation in this increasingly tumultuous world.

Thank you.

I'm happy to go first. Thank you, Mr. Chair, and thank you to the committee for this invitation.

My prepared remarks are about the CSE and CSIS bulk data collection.

In his testimony to this committee, Professor Craig Forcese made a very important point about the thresholds for authorizations for CSE data collection.

Proposed section 23 of what would be the new CSE act sets out that activities carried out by the CSE in relation to its various mandates must not be directed at Canadians or persons in Canada. This is of course a continuation of the current situation in which the CSE is required not to direct its activities in this fashion.

Nevertheless, it is well established and conceded that the information of Canadians and persons in Canada is collected, because some collection, and by no means insignificant collection, is unavoidable due to the complexity of communication networks. Thus, Canadians' information is collected incidentally or unavoidably.

Part of the new regime proposed for the protection of Canadians' privacy interests is to require that the CSE seek a ministerial authorization that is then approved by the intelligence commissioner. The trigger that initiates this process of authorization and intelligence commissioner vetting would occur when the CSE's activities would otherwise contravene an act of Parliament.

We agree with Professor Forcese that this trigger is under-inclusive, a view that is now echoed by Citizen Lab, the Canadian Internet Policy & Public Interest Clinic, and others.

As Professor Forcese notes, there is concern that the proposed threshold would not ensure that the authorization process would, for example, be initiated for activities that incidentally collect Canadians' metadata, which is obviously of critical importance.

Craig Forcese proposes a more expansive trigger, in which the authorization process is required for activities that would otherwise contravene any other act of Parliament or “involve the acquisition of information in which a Canadian or person in Canada has a reasonable expectation of privacy”, a threshold that has already been referenced.

Our problem with this proposed addition is simply this: that the question of what precisely attracts “a reasonable expectation of privacy” is typically the central dispute in almost any emergent privacy issue, and this threshold would be adjudicated internally by the CSE.

We know, not least from years of reports from the CSE commissioner, that disputes over the interpretation of legal standards and definitions have been of ongoing concern, and national security activities in general are plagued with the “secret laws” problem of having words in a statute or directive interpreted in sometimes obscure or deeply troubling ways, and ways that may not be unearthed for years. Therefore, a trigger that involves a colourable definition is inherently problematic, in our view.

However, we read the latest CSE commissioner's report as indicating that the CSE has conducted its signals intelligence activities under just three ministerial authorizations since 2015. It appears that these authorizations tend to authorize a broad sphere of activities. Our understanding that the frequency and scope of “incidental collection” suggests that most, or even all, of the authorizations are apt to at least implicate Canadians' data. In other words, there are only a small number of authorizations, and almost all are apt to require the authorization regime of vetting by the intelligence commissioner.

Surely, then, it is best and still entirely feasible and efficient—to ensure that this authorization process does indeed examine everything that we are hoping it will—to simply have one uniform process of authorization approval by the intelligence commissioner for all classes of activities undertaken outside of the technical and operational assistance mandate, which is, as you know, its own sphere of activities.

For everything else, we recommend that the question of threshold be resolved by eliminating the need for a threshold and ensuring that every class of activities authorized be subject to the new accountability procedure of ministerial authorization and vetting by the intelligence commissioner.

I will turn now to bulk data collection by CSIS. It was most certainly our concern coming out of the national security consultation that the government response to the CSIS bulk data scandals, if you will, would be to simply empower the agency to do what it had previously been doing unlawfully without having a meaningful democratic debate about mass data acquisition in the context of national security. We certainly appreciate that having bulk data collection squarely on a legislative footing does improve transparency, but we are deeply concerned with the low threshold that is proposed in Bill C-59 and that this critically important matter is, quite frankly, receiving insufficient attention in the context of a large omnibus bill.

It was only recently that SIRC did its first-ever audit of the bulk data collection programs of CSIS. SIRC is of the view that appropriate bulk data collection by CSIS can occur under CSIS's current section 12 standard of strict necessity for data collection. In our view, it is hard to imagine a body that would be better positioned to assess this, both from the perspective of accountability and respect for the rule of the law and from the perspective of the operational needs of CSIS.

SIRC's proposal for the standards and criteria for bulk data collection is a three-part test: that there be a clear connection to a threat to the security of Canada, that no less intrusive means are available, and that there be an objective assessment of intelligence value.

Now, compare that standard with the standard set out in Bill C-59. Bill C-59 allows CSIS to collect publicly available datasets, with no definition of that term, on the basis of a bare relevance standard. With respect to Canadian datasets—which, we need to remember, are expressly defined as datasets that contain personal information expressly acknowledged as not directly and immediately relating to activities threatening the security of Canada—the test for their acquisition is simply that the results of their querying or exploitation could be relevant and that this assessment must be reasonable.

It may be argued that this vast scope for bulk data collection is at least mitigated by the requirement for judicial authorization for the retention of those datasets, but rather than providing significant gatekeeping, this authorization simply compounds the effects of the very low standards that lead up to it. Personal information that does not directly and immediately relate to threats to the security of Canada is allowed to be collected if it “could be relevant”, if this assessment is “reasonable”, and if the judge then decides that the dataset can be retained on the standard of “is likely to assist”.

These, then, are the thresholds of what most Canadians would call mass surveillance, and we believe most Canadians would reject these thresholds as shockingly low standards. Thus, a genuine opportunity to meaningfully shape these surveillance practices is being squandered in Bill C-59.

The proposed standard represents a mass erosion of the privacy protections from the strict necessity standards that currently apply. We recommend that the CSIS bulk data provisions be revised to be expressly within the strict necessity standard, and not in exception to it, and that the criteria for bulk data collection, such as that fashioned by SIRC as implicitly principled and workable, be set out within the legislation.

Those are our prepared remarks. Thank you.

In terms of whether or not we have adequate resources, the transitional clauses in the bill are quite clear. What we have in terms of the commissioner, the employees, and the appropriation from Parliament all transition to become the intelligence commissioner and his office.

What are the requirements? The requirements are having intimate knowledge of CSE activities and of CSIS activities. Clearly we have the knowledge of CSE from the work that we conduct currently in reviewing the activities of CSE, but we also have on staff now individuals who have experience and knowledge of CSIS. We had the opportunity to do some staffing over the last year, or since June at least, and we have hired individuals with knowledge and experience of CSIS activities. As well, we have engaged special legal counsel, which we have with us here, to deal with the complexity of Bill C-59.

As to whether the staff is going to be adequate going forward, there are a number of unknowns in terms of the number of authorizations that will be required from CSIS or CSE. Only once the bill is enacted and the activities begin will we have a sense of what the volume of authorizations will be, but clearly there was a sense that we have a reasonable starting point. The drafters of the legislation and the government must have felt that we at least had a good start with what we have to transition into the new organization.

Well, according to the actual mandate, as well as the mandate that is provided for in Bill C-59, CSE cannot target Canadians or persons in Canada. It cannot. It can target people or entities abroad only.

Thank you, Chair.

Mr. Chair, honourable members, I am pleased to appear before this committee again, this time on the subject of Bill C-59. I am accompanied by William Galbraith, the executive director of my office, and by Gérard Normand, special legal advisor.

I have been the Communications Security Establishment (CSE) Commissioner for over four years. I am responsible for reviewing the activities of CSE, primarily to determine whether they complied with the law. This naturally includes everything to do with protecting the privacy of Canadians and persons in Canada. I am a retired judge of the Superior Court of Québec and of the Court Martial Appeal Court of Canada. As I like to often say when I appear before you:

I'm a young 75.

The phrase retired judge means that you cannot expect someone 40 or 50 years old. In order to retire, we have to be at least 69 or 70. That explains my somewhat advanced years.

The law requires the CSE Commissioner to be a supernumerary judge, meaning a judge who is on the bench part-time, or a retired judge of a superior court. My current term expires in mid-October this year, in 2018.

However, once Bill C-59 receives royal assent and part 2 enters into force, my role will change into a completely—and I emphasize completely—new function for intelligence accountability in Canada.

Indeed, the CSE commissioner will no longer perform after-the-fact review of CSE activities. The intelligence commissioner, or the IC if you prefer, will have a quasi-judicial role, of which the first part is reviewing and the second is approving authorizations issued by ministers for certain activities of CSE and CSIS before those activities can be conducted.

This specific role will be to determine whether the minister's conclusion to authorize the activity was reasonable. The test I have to apply is reasonability. In essence, this is similar to the function performed by a court of law when undertaking what we call “a judicial review”. This is, in my view, a critical role, intended to provide a quasi-judicial review of an intelligence agency's activities that may have charter and/or privacy implications.

Part 2 of Bill C-59, the Intelligence Commissioner Act, expressly provides for the transition of the CSE Commissioner into the new role of Intelligence Commissioner. The functions of post-facto review of CSE activities that I now perform will be assumed by the new National Security and Intelligence Review Agency, also proposed in Bill C-59.

This bill also requires the intelligence commissioner to be a retired judge of a superior court, which is appropriate, in my view, given the quasi-judicial function of this new position. However, this bill does not include the possibility of appointing a supernumerary judge, as is the case now with the National Defence Act for the CSE commissioner. I believe this bill should retain the possibility of a supernumerary judge, in part to ensure a broader pool of potential candidates. I was a supernumerary judge when appointed CSE commissioner four years ago, and a short time afterward, I fully retired as a judge.

The problem is the following. The pool of candidates for this job, the new intelligence commissioner, is very narrow. You must find a retired judge who has the proper background to be appointed—for example, a background in security matters or in national defence matters. The pool is very narrow. That's why I'm suggesting that we should keep in the bill what we have in the National Defence Act with regard to the appointment of the intelligence commissioner. In other words, a supernumerary judge should be appointed as the IC and then would retire maybe a few months later. It would be a transitory measure. I can see that if a sitting judge remained the intelligence commissioner for years, he might have some problems with conflicts of interest and what have you. I think for transition purposes, it might be very useful.

Previously, I submitted to this committee a written copy of substantive proposals for amendments to Bill C-59. Those comments were sent to your chair on December 6, 2017. I am also submitting today lists containing additional substantive and technical proposals that I sent to Minister Goodale and Minister Sajjan. I think you have a copy of those comments before you. I will highlight a number of these in my remarks.

The importance of the process the government has chosen to follow for this bill is, as stated by Minister Goodale, to allow new ideas and alternative suggestions to be presented before second reading in the House.

In this context, I will speak to changes I am proposing for three parts of the bill: part 2, the intelligence commissioner act; part 3, the CSE act; and part 4, amendments to the CSIS Act. While I am of the view that the proposed legislation is generally sound and that it addresses most of the recommendations made by me and my predecessors to amend part V.1 of the National Defence Act. I am also of the view, following in-depth analysis and discussions with officials and agencies directly involved, that certain amendments should be proposed. Among my substantive proposals, I will describe seven that I consider the most important.

First, I believe the intelligence commissioner should be involved in approving authorizations for CSE active cyber and defensive cyber operations which may also implicate privacy interests. Some commentators have remarked that this is a new and very broad mandate for CSE and that it is too permissive. By comparison, the CSIS Act requires CSIS to go before a federal court judge, in some instances, to have a warrant issued for similar activities.

Second, as the bill is written currently, the Intelligence Commissioner does not approve the minister's decision to extend the validity of a CSE foreign intelligence or cybersecurity authorization for an additional year. I believe the commissioner should be involved, given that he was involved in approving the initial authorization. Otherwise, in effect, the authorization would be for two years. However, this is not what the bill proposes. It proposes that this type of authorization is valid for a maximum of one year. If the minister granted extensions almost automatically without the commissioner being involved, the duration could end up being two years, instead of the one year provided for in the act.

Third, emergency authorizations for CSE issued by the minister for purposes of foreign intelligence or cybersecurity should also be reviewed by the commissioner immediately after they have been issued. This would be similar to the approach that exists in the Investigatory Powers Act in the United Kingdom. Under the U.K. legislation, the period of validity for these emergency authorizations is five days, the same validity period as in Bill C-59. However, in the U.K., the Judicial Commissioner must review and approve these authorizations within that time frame.