Evidence of meeting #35 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was scisa.
A recording is available from Parliament.
12:30 p.m.
Liberal
Rémi Massé Liberal Avignon—La Mitis—Matane—Matapédia, QC
I'll continue with you, Mr. Israel.
I was particularly interested in your opening remarks. In its 2015-16 annual report, the Privacy Commissioner indicated that the Security of Canada Information Sharing Act opens the door to federal government surveillance.
If you agree with this statement, can you explain how this legislation now opens the door to government surveillance?
12:35 p.m.
Staff Lawyer, Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic
The explicit provisions in SCISA allow for sharing only of information already collected, but because it provides a number of agencies with the impetus to begin to look for threat information, primarily on the front line, it may affect the manner in which they approach the information that they collect and retain, because that is now a new consideration they will be using in assessing their own information-sharing practices. At that stage, it could indirectly facilitate the additional collection of information.
When you're talking about the Government of Canada, which is an immense bloc, it's been compartmentalized with regard to the data it collects for good reason, because when you're dealing with the tax agency, you're not dealing within an investigative context, and you're sharing information with the government for tax-assessment purposes. When you're dealing with education insurance, you're not dealing with the government in an investigative context.
Historically, it's been addressed as separate, compartmentalized agencies with different types of information, with the exceptions for information sharing being very specific and targeted. If SCISA facilitates a more generalized information sharing—and I realize it hasn't to date, but it could, as these types of provisions have facilitated that in other jurisdictions—then that could be seen as our facilitating surveillance in a very direct sense, even though the information was already held by one government agency but maybe not by others.
Does that help?
12:35 p.m.
Liberal
Rémi Massé Liberal Avignon—La Mitis—Matane—Matapédia, QC
Yes, exactly.
Mr. Wark, do you have any comments on the subject? In your opening remarks, you spoke of the need for balance between—I'll use your words here—“the need to know and the need to share.”
Do you have anything to add?
12:35 p.m.
Visiting Professor, Graduate School of Public and International Affairs, University of Ottawa, As an Individual
Thank you.
I think the importance of maintaining a balance between need to know and need to share, which has been an ongoing tension in the entire western intelligence world since the 9/11 attacks, is of critical importance. The problem I see in SCISA is that the balance was never properly thought through, and certainly was not found in terms of the legislative language adopted.
In response to the particular question about whether SCISA was a kind of back door to authorizing new information-gathering and intelligence-gathering powers—and this is a concern that many people raised in the context of the original debate over Bill C-51—frankly, I don't see that in SCISA or even implicitly in its knock-on effects. It doesn't change, as I think you probably heard. Certainly other committees have heard from government officials that it doesn't change the actual mandates and lawful information-gathering activities of any of the agencies listed in SCISA. It is purely about information sharing. Information sharing may trigger—and this is my colleague Tamir's point—additional intelligence gathering and investigations by agencies that receive information, but that activity could occur only under their existing lawful mandates.
12:35 p.m.
Conservative
The Chair Conservative Blaine Calkins
Thank you very much for that.
We'll move to Mr. Kelly for seven minutes.
November 22nd, 2016 / 12:35 p.m.
Conservative
Pat Kelly Conservative Calgary Rocky Ridge, AB
Thank you.
Maybe I'll ask Mr. Wark this question. We have heard much about the lowering of the thresholds and—according to some witnesses and, probably, members of the committee—the problematic definition, or idea, of making activity that undermines the security of Canada part of the threshold for sharing information. However, I think that if you were to ask many Canadians if a law enforcement agency or an intelligence-gathering body possessed intelligence about an activity that undermines the security of Canada, they would want to ensure that such information is appropriately shared. People don't want the security of Canada to be undermined.
Could you give the committee an example so that we can understand the context? What would be an activity that undermines the security of Canada but that ought not to be shared?
12:40 p.m.
Visiting Professor, Graduate School of Public and International Affairs, University of Ottawa, As an Individual
Thank you, Mr. Kelly. I appreciate the question.
I understand the underlying implications of it. I think that probably all the witnesses you've heard from—including me and, though I wouldn't want to speak on his behalf, Mr. Israel—share the same objective. In other words, we want to ensure that Canadian security and intelligence agencies are able to appropriately share information.
The thing that perhaps a member of the Canadian public interested in this question would not fully understand is the issue of why this particular broader definition is needed. As I said in my testimony, I have not heard a good reason for that. What I would encourage the committee to do is to line up the new definition of undermining the security of Canada and its various clauses with the section 2 definition under the CSIS Act, which is of long standing, that defines threats to the security of Canada. It has been operationalized over decades within the security and intelligence communities.
We have arrived—the this term was used recently, in previous testimony—at a kind of cultural understanding of how that works.
There is nothing in the existing section 2 definition of threats to the security of Canada that would be weak or insufficient in terms of allowing, from my perspective, the kind of information sharing that is necessary and appropriate to securing Canadians' safety. The problem, I think, that many of the witnesses you've heard from see with this broader definition is that it is simply too broad and, worse, unnecessary.
12:40 p.m.
Conservative
Pat Kelly Conservative Calgary Rocky Ridge, AB
Okay.
I guess I'm asking the flip side of this question. If nobody had demonstrated the need to change and now that the act is there, what would be an example of an activity that would undermine the security of Canada that shouldn't be shared?
12:40 p.m.
Visiting Professor, Graduate School of Public and International Affairs, University of Ottawa, As an Individual
It's a good question, but I think what we're saying to you, Mr. Kelly, is that the answer is, unfortunately, “Who knows?” This is an inappropriate definition that does not advance the interests of the security and intelligence community in terms of operational effectiveness and that threatens that balance of need to know and need to share with information overload, which has all kinds of other knock-on implications.
Going through the list in section 2 of SCISA, where these various activities that undermine the security of Canada are listed, you see that they are broader and looser and baggier definitions that are unnecessary when lined up with section 2 of the CSIS Act. For the life of me, I don't understand why we did not stick with the definition in section 2 of the CSIS Act, which encompasses everything that needs to be encompassed and avoids ambiguity and problems introduced by this newer definition.
If the committee has heard from some government official that there was something inadequate in the section 2 definition in the CSIS Act, then that would be an interesting thing to pay attention to, but I am not aware that you have, or that the public safety committee has either.
12:40 p.m.
Conservative
12:40 p.m.
Conservative
12:40 p.m.
NDP
Daniel Blaikie NDP Elmwood—Transcona, MB
Thank you very much.
For me, the overriding theme of the look at SCISA is to try to strike that right balance between what government needs to be able to do to counter legitimate threats to national security and the assurance that Canadians have the right to privacy and can share information with government with the confidence that it's not going to be used or abused or come up in odd ways to haunt them years later.
What we hear from departmental officials often is that if we, for instance, use a necessity threshold for the sharing of information, then that information won't get shared in time, or it will damage their operations.
If we want to do justice to the various principles that Professor Wark enunciated in his presentation, what are the oversight mechanisms that you see? To me, that seems to be an essential part of the program. Especially in light of everything we've learned over the last number of years about Edward Snowden and others, getting a little window into how government operates in some cases with this information, it's hard for me to think that Canadians are going to have confidence to trust government with their information unless they know that there's some kind of independent oversight.
What are the mechanisms that you can imagine that would allow for the operational latitude that security needs—not that it wants, but that it needs in order to do its job properly—and also give Canadians confidence that there's someone looking over the shoulder of these organizations that are entrusted with that information and that they're not simply policing themselves?
12:45 p.m.
Visiting Professor, Graduate School of Public and International Affairs, University of Ottawa, As an Individual
Thank you, Mr. Blaikie. I had the pleasure, once upon a time, of meeting your father. I just wanted to say hello.
There are various mechanisms in place. We're in the business, as you all know, of reforming and thinking about reforming the system. But the place to start with regard to SCISA and making sure that the government can be held to account for how this scheme is operated, even if it's amended, has to be proper record keeping.
Unless there's a paper trail, a digital trail, we'll never be able to do any accountability, and the Privacy Commissioner has made this suggestion in his annual report. That's one thing.
There is an issue of ministerial accountability as well. I note that the public safety minister, in recent testimony to the public safety committee, on the back of the Privacy Commissioner's annual report, said he has sent a letter out to all his cabinet colleagues encouraging them to ensure that all of their departments involved in SCISA are maintaining proper privacy protections. That's a step, but on its own, I think, it's an inadequate step, important as it might be.
So there's record keeping and ministerial accountability. Again, I would come back to the importance, certainly for the broader Canadian public, of transparency provisions that are part of the legislation. There is a mandated requirement to provide an annual public report from the relevant minister, in this case probably the public safety minister, on the operations of SCISA. It should be a meaningful report.
Then finally, there's the question of agents of Parliament and independent review bodies. Agents of Parliament, such as the Privacy Commissioner, clearly have a role to play. The Privacy Commissioner was trying to indicate that he has some resources but perhaps not enough. I know the Privacy Commissioner's office well. It's not my place to speak to it, but it has very limited resources on the national security side.
With regard to independent review, as everyone will know, the problem is that we don't have an all-encompassing independent review system. We have these siloed mechanisms that independently deal with CSIS, are meant to deal with the RCMP on the national security side but haven't yet, and deal with CSE, yet there's nothing for CBSA and many of the other core security and intelligence systems.
I think we're all at the point where we recognize that the system of independent review, which we've inherited over the years, is a legacy system that's not functioning well, and there are various proposals on the table for how to change it.
On top of that, a new committee of parliamentarians, if Bill C-22 is passed in Parliament, will be an added element in that picture of accountability.
12:45 p.m.
Staff Lawyer, Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic
In addition to everything Professor Wark just said, I would add that I think there are ways to improve the timing of assessments on necessity and proportionality, if those were adopted, and those would involve, I think, better training in government agencies that are going to be the recipients of these requests and that are not inherently national security agencies. You could train people within these agencies to identify this information or to become more familiarized with the standards that are required to make those assessments.
Necessity and proportionality are both very core operative principles that are used all the time in this context. They're not new ones that are just imposed here at random. They're the ones that CSIS currently operates under, as we heard, and they're the ones that other agencies operate under regularly.
Imposing those standards does not really limit the ability of the existing agencies to get information that they're not already getting—and we haven't heard that they're not getting enough information—but with sufficient training and resources, maybe you can get around the issues related to timing.
In addition, one of the outstanding recommendations from Commissioner Major of the Air India commission was to have a centralized national security entity to address information flows between security and policing and other types of agencies, and to have that type of entity or another agency, such as the Privacy Commissioner for Canada, with a better resource and more expansive mandate or a more expanded expert review body with additional operational capabilities, take a more active role in interacting with government agencies and helping them to make assessments around whether specific items of information are or are not necessary to achieve threats. I think having that type of capacity within government or within an entity within government to facilitate that type of information flow could address any of the timing concerns while maintaining the privacy standard that should be kept.
12:50 p.m.
NDP
Daniel Blaikie NDP Elmwood—Transcona, MB
Do you think for the oversight committee proposed in Bill C-22, it hurts the credibility of that committee as an oversight organization that government is able to censure what information committee members will receive?
12:50 p.m.
Visiting Professor, Graduate School of Public and International Affairs, University of Ottawa, As an Individual
I should say to the committee that I have testified on Bill C-22 in front of the other committee. To make a long story short, I think there could be some useful amendments to kind of restrict the powers of the government on a discretionary basis and to impose restrictions on information that could be accessed and information that could be reported on by the committee.
That said, even with no amendments to Bill C-22, I think it's a great start and long overdue, but I'm hoping there will be some amendments of that kind.
12:50 p.m.
Staff Lawyer, Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic
Yes. I agree that the restrictions on the information it can receive and the information it can impart are both too restrictive and too much at the discretion of government. I think at the very least having an objective decision-maker weigh in on those decisions would be a great start in encouraging its independence as an oversight entity.
12:50 p.m.
Liberal
The Vice-Chair Liberal Joël Lightbound
Thank you.
We'll now move on to the last seven-minute question period. We'll start with Mr. Bratina.
12:50 p.m.
Liberal
Bob Bratina Liberal Hamilton East—Stoney Creek, ON
Thank you.
On the notion of retention of data, I'm assuming most data now is electronic in nature and is not in brown paper envelopes although even if it were, it would get transferred.
Then, apparently, 400-pound guys in their basement can access any information anywhere and we've seen the fiasco south of the border recently with regard to that.
My first question is how do you wipe information? How do you get rid of it?
12:50 p.m.
Staff Lawyer, Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic
There are ways to delete information securely. Even a preliminary deletion will eventually lead to the information being deleted, but you can more comprehensively take active steps to delete information, to wipe hard drives, and to insert random data over where the data used to be to make that more concrete.
I think what's really missing, though, right now is the impetus to delete information, because there is no retention requirement, as we've heard. It's easier to keep it forever and even with just the vague prospect of its utility down the road, even if it's a 0.001% chance, the impetus tends to be to retain it just because it is so cheap to do so.
One of the problems with SCISA is that the more the information gets spread around different agencies, the more we have the potential for it to be accessed by a third party one way or another. Again, a retention limitation would facilitate the security concerns as well.
12:50 p.m.
Liberal
Bob Bratina Liberal Hamilton East—Stoney Creek, ON
Okay.
On the notion of parliamentary oversight, then you have government discretion as to whether the oversight body gets to see it or not.
Professor Wark, I will ask you this. Who is in the inner sanctum of the final decision as to...? To me, parliamentary oversight means at least the public has elected officials as part of the process, and that's the reassurance we have that the people are doing the right thing. Then there's discretion as to what information they get. Where does that sit—with whom?
12:50 p.m.
Visiting Professor, Graduate School of Public and International Affairs, University of Ottawa, As an Individual
Mr. Bratina, under Bill C-22, the ultimate discretionary authority-holder is the Prime Minister, and the proposed national security and intelligence committee of parliamentarians would be beholden to the Prime Minister in certain instances with regard to the information they can access and information they can report on. Again, I think many people who commented on Bill C-22 believe that it's perhaps over-broadly written and that it could be narrowed in terms of those restrictions. But it's important to say that the essential dilemma of parliamentary scrutiny of intelligence and security revolves around secrecy, and the need to both access secrets, in order to make sense of the security and intelligence world, and to protect secrets in the interests of Canadian national security. Bill C-22 legislation tries to find a fix to that difficult dilemma.
If I can come back just for a minute to your question about retention, it's absolutely true that most information these days is digitally maintained. There are still a lot of paper records around, particularly on higher-level decisions, memoranda to cabinet, and that kind of thing. But I would disagree with my colleague Tamir about the fact that there are no retention schedules. There are plenty of retention schedules. The problem is that they are not legislated and they're not available in the public domain, but the mechanism that is used to enforce retention schedules is ministerial directives to the agencies of the security and intelligence community.
One of the things I have pressed for in various circumstances, including with regard to CSE, is that some of those ministerial directives around retention of information could be made public without endangering national security to reassure the Canadian public that information is not being kept in an abusive and overly long way. The retention mechanisms do exist; they just are, unfortunately, and perhaps in some cases necessarily, secret.
12:55 p.m.
Staff Lawyer, Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic
Very briefly about that, the independent arbitrator for Bill C-22 on disagreements, some, including us, have called for a mechanism to allow disagreements to be referred to the Federal Court. The Federal Court has expertise in making these decisions.
Just very briefly, yes, absolutely, some agencies have retention limitations on an ad hoc basis that apply to certain subsets of information they collect, but an overarching retention limitation in the Privacy Act would provide for a more principled and across-the-board process. CSE has some retention limitations that are imposed on it, depending on the type of data it's collecting; CSIS doesn't have any, or didn't until recently; and the RCMP does not have many. It's very ad hoc now, and imposing an overarching principled retention limitation with the Privacy Act that applies to everything would make it a more consistent obligation.