Information & Ethics Committee on Nov. 22nd, 2016

If they said their collection authority has not changed, I would agree with that proposition. However, if we're talking about the RCMP, the RCMP has very broad authority under the common law to collect, share, and analyze information for investigative purposes. If the information is relevant to a criminal investigation and does not attract a charter interest, then I don't think a warrant is required.

There may be some cases in which section 7 or section 8 would be engaged, in which case additional safeguards would apply.

That's what's being budgeted, but that's not what we're spending.

Thank you.

Chair and members of the committee, I am grateful for the opportunity to appear before you to provide some views on the Security of Canada Information Sharing Act, or SCISA, which is now embedded in Canadian law following the passage of Bill C-51, the omnibus anti-terrorism legislation introduced by the previous government in 2015.

C-51 provisions came into force, as you know, in August 2015. The Liberal Party promised to repeal the problematic elements of Bill C-51 and is currently engaged in the process of public consultations on elements of Canada's national security, but the government's plans with respect to any possible amendments to SCISA, in particular, have not been revealed.

SCISA appeared as part 1 of Bill C-51 in 2015. I was invited to appear before the Standing Committee on Public Safety and National Security on March 24, 2015 to testify on Bill C-51 as a whole. In my testimony, I divided the measures advanced in Bill C-51 into three baskets: first, those elements that can genuinely advance security capabilities in a reasonable and proportional way; second, those that do not advance our security capabilities or fail to maintain the vital security-rights balance; and third, those that, I think, deserve to be put on hold for deeper reflection.

In March 2015, I placed SCISA, or part 1 of C-51, in the first basket, of appropriate security enhancements. I also argued, and I quote myself, that SCISA “would greatly benefit from some detailed amendments...to bring greater clarity, heighten...efficacy, reduce...overbreadth, and bolster the security-rights balance.” Despite considerable public criticism of SCISA, no amendments were made to the act before it was passed into law. Nothing that has come to my attention since the passage of SCISA in unaltered form changes my essential view—that SCISA can and should be amended.

In terms of advancing security capabilities, the purpose of SCISA is, presumably, to try to ensure appropriate information sharing through exhortation, through a broadening of the information-sharing regime to encompass a large number of listed entities, and to allow for expanded information sharing under an altered definition of “threat”.

The committee has heard from eminent legal academics versed in national security matters, from a civil society actor, from the Canadian Civil Liberties Association, from government officials, and, earlier today, from the Privacy Commissioner of Canada. The perspective I offer is informed by my understanding of how intelligence and security systems regulate their information systems. I'm sorry if what follows sounds a little philosophical, but it has a practical point.

The specifics of SCISA need to be examined in the context of five guiding principles that should inform any effective information-sharing system for intelligence and security purposes within government. These principles have long been recognized and are as follows: the need to know, the need to share, the need to secure, the need to avoid information overload, and the need to be accountable. These needs shape an effective and reasonable information-sharing regime in a democratic system. They encompass lawful mandates as well as privacy and civil liberties protections. They are meant to interact to ensure balance between over-ingestion and under-ingestion of information. They are deceptively simple in the literal sense of their meaning, but not easy to operationalize as a package.

I want to just run through these five principles briefly.

The “need to know” principle refers to limits on information sharing that are shaped by the lawful mandates and operational needs of the agencies involved and by the requirements of information security. The more sensitive the information—the more that information might reveal details of intelligence sources and methods—the more intensively does the “need to know” principle come into play. “Need to know” can also be infected by non-operational imperatives, including bureaucratic politics, management styles, and personal proclivities on the part of officials working in the security and intelligence system. It is important that the “need to know” principle operate appropriately as a limiting factor, but it is equally important that the principle not be shaped by extraneous dynamics.

The “need to know” provisions in SCISA are generally weak and under-defined. Paragraph 4(e), under “Guiding principles”, sets out in a very general way the authorized actors in the revamped information-sharing regime. Subsection 5(1) of SCISA posits a need to know based on the notion of relevance, again a very general and potentially overbroad measure.

While it would never be possible to strictly operationalize a “need to know” function, because to do so might be to hamstring any information-sharing regime, SCISA errs, in my view, on the side of unhelpful generalizations, compounded by the implication of subsection 5(2) that, once information sharing is set in motion, it can continue down an undetermined path of further disclosure.

One remedy to consider would be to import a version of the limitation set out for CSIS in its act in section 2, through the use of a strictly necessary yardstick for information sharing.

Justice Noël, in a recent Federal Court ruling on CSIS warrants and the retention of metadata, has reminded us of the historical context of that CSIS-limiting clause. As Justice Noël indicated, it may be time to review the strictures of the CSIS Act, but if the strictly necessary provisions of the act are deemed worthy of maintaining, then their applicability to an information-sharing regime for national security purposes seems, to me, obvious.

Then there is the need-to-share principle.

The need-to-share principle rules SCISA. This might be regarded as an “Oh, duh” moment, but the problem is that the principle rules in a completely unbalanced way that, among other problems, might have an impact on the very objective it seeks: more effective information sharing in the interests of national security. There are three problems, I think, with SCISA in its adopted form.

The first is the large number of entities listed for participation in SCISA's schedule 3. This list stretches the meaning of the core security and intelligence community to include many entities with only a very marginal role in national security matters. The list can be further shaped by Governor in Council orders that would not necessarily be in the public domain.

Many of the listed entities will be only bit players, at best, in the scheme. The recent annual report of the Privacy Commissioner gives substance to this reality, as he found that in the first five months of SCISA, only five institutions utilized powers in the act. A bigger problem is that while agencies outside the core security and intelligence community might on occasion have valuable information in their possession, they lack the attributes of rigour, methods, and understanding of national security matters.

The SCISA entities listed in schedule 3 should, in my view, include only core elements of the Canadian security and intelligence community. These can be identified and, in keeping with this, the list should be considerably reduced from the 17 named organizations. Moreover, I think there should be a requirement that all listed entities have a common formal memorandum of understanding to guide their information-sharing practices internally.

A second problem is the expansive justification for information sharing provided in SCISA. As noted, the justification found at subsection 5(1) is relevance, which is not, in my view, a tight enough criterion as it does not provide any rigorous guidance and does not allow for any real accountability. Relevance needs to be replaced by some form of language about necessity and should include a measure of proportionality that is linked to mandates and to threats.

The third and arguably the mother of all these problems is the question of how SCISA defines the nature of the information to be shared. SCISA adopts a new definition at section 2 regarding “activity that undermines the security of Canada”, and I know you've heard a lot about that. This is a more expansive and open-ended definition than that provided in the CSIS Act, and I have heard no good argument for the change.

While I appreciate that the drafters of the legislation may have felt that a broader definition of the kinds of threats that now impact on Canada may have been required, on balance the definition they provided does not advance the public interest and has sown confusion and, in my view, many misplaced ideas about the powers provided for SCISA. A replacement use of the definition of threat in section 2 of the CSIS Act advances many of the same objectives, is an established criterion, and would provide greater clarity.

In particular, paragraph 2(i) of SCISA, as it currently stands, introduces a very dangerous dimension to government powers insofar as it opens the door to foreign interference in the domestic politics and sovereignty of Canada. It is also unclear to me how the SCISA definition of undermining the security of Canada operates for CSIS—one of the core agencies in the national security information-sharing regime—alongside its own mandate of threats to the security of Canada differently defined.

Fourth is the need to avoid information overload. Very briefly on this, one reason that it is important to find the right equilibrium between the competing demands of the need to know and the need to share involves the potential problem of information overload. If agencies and departments under SCISA are flooded with information that is ultimately not necessary to national security, not only does this information flood waste resources and personnel and impose additional burdens in terms of information security but it also hinders the overall operational effectiveness that is so important in a security and intelligence system that must constantly adjust its work according to its own calculations of threat and risk and that is always under immense resource constraints.

A too-expansive information system is not a precautionary measure; it can simply be an unnecessary burden. Too much information can be worse than too little.

The need to avoid the information-overload principle cannot be directly legislated. It has to be a product of the proper balance between need to know and need to share.

With regard to the need to secure, although SCISA contains an element of exhortation, particularly in sections 3 and 4, there is no exhortation regarding the related requirement in any information-sharing regime, and in particular in a more expansive system, for the careful protection of shared information. In an age of increased cyber-threats and in the face of the usual human proclivities for error and mishap, an expanded information-sharing regime must be accompanied by greater information-security practices. There is nothing of the sort in SCISA.

One way that such practices can be subject to internal self-examination in the departments and agencies involved in information-sharing is through mandated privacy impact assessments, but I note that in the 2015-16 annual report to Parliament by the Privacy Commissioner, only two of the 17 entities authorized to collect information under SCISA had deemed privacy impact assessments to be necessary. Even in those two cases, the privacy impact assessments, which under Treasury Board guidelines are meant to inform policies prior to their being fully implemented, were still being developed.

Another measure that could be considered in amendments to SCISA would be to provide an authorized role for departmental security officers in monitoring and reporting on information security measures.

I'm very close. I'm happy to discuss this in questions. The last principle is one that has also come to your attention, I'm sure; it's the accountability principle. How do you ensure that SCISA can be held properly accountable? My recommendation in that regard goes to the question of mandatory record-keeping, which is discretionary under SCISA at the moment. I also suggest that the government follow through on its transparency pledges by providing for an annual report by the Minister of Public Safety, documenting the uses of SCISA.

Thank you, Mr. Chair. Sorry I went over.

Thank you, Mr. Chair. I will try to keep my comments brief so that we do have time for full questions.

Thank you, as well, to the members of the committee and to you, Mr. Chair, for having me back here again.

My name is Tamir Israel. I am the staff lawyer with CIPPIC, the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic. CIPPIC is a public interest clinic based at the University of Ottawa's Centre for Law, Technology and Society in the Faculty of Law. Our mandate is to advance the public interest in policy debates arising at the intersection of law and technology.

We are pleased to have the opportunity to testify before you today on the study of the Security of Canada Information Sharing Act, which I will refer to as SCISA.

As you are aware, SCISA was introduced last year as a central component of Bill C-51. In CIPPIC's view, SCISA constituted one of the more problematic elements of that legislative initiative, and it remains so.

Participation in modern life requires Canadians to entrust ever-growing amounts of data to their government, including sensitive financial, health, and other information. Providing such information to the government does not mean, however, that Canadians sacrifice privacy interests in this data, nor should it.

Core and long-standing privacy concepts such as necessity and proportionality, concepts intended to facilitate threat identification and prevention in a tailored manner, are wholly absent from SCISA, raising the legitimate concern that its mechanisms will be used in a manner that is disproportionate and that impacts heavily on the privacy of Canadians who have done nothing wrong.

SCISA's challenges arise in part from the regime it establishes, but also in part from gaps in the pre-existing framework that it expands and in which it was inserted. I will touch on a few of these problems, addressing specifically the relevance standard, the definition of security threats, and the lack of safeguards, which are issues you've heard of already. I will try to provide additional context and propose some solutions as I go along, some from within SCISA itself and some comprising amendments to additional regimes that come from without.

In particular, while I don't go into it in detail in my comments here, you've heard from many witnesses, as well as from Professor Wark here that the need for an external expert review body is paramount to maintaining the overall proportionality of Canada's national security framework, and that's no less the case with respect to the operation of SCISA in general.

I'll begin with a discussion of the relevance standard. It is one of the two core limiting principles within SCISA's information-sharing apparatus. It is an over-broad standard that's insufficient. Relevance requires the presence of a reasonable basis on which to believe that the information in question relates to, in this instance, the mandate of a SCISA recipient's organization, and to activities that undermine the security of Canada.

Relevance is perhaps the lowest and least-defined legal evidentiary standard. While CIPPIC would hope that a court ultimately interpreting the relevance standard in SCISA, and taking into account constitutional jurisprudence, would impart into it considerations of immediacy and imminence, we are concerned that the standard will be used to justify generalized information sharing.

This is indeed precisely what occurred in the United States with the National Security Agency. In powers newly granted to the NSA in 2006, the relevance standard was inserted as a key limiter intended to ensure the powers in question were employed only in the context of specific and immediate investigations of security threats. This relevance standard, however, was used to expand the powers in question rather than to limit them. Specifically, relevance had been defined to mean any piece of information that may one day be relevant to an investigation, facilitating a domestic dragnet program that involved the wholesale collection of everyday domestic and international call records in the United States on a regular basis.

The reaction of the USA PATRIOT Act co-author, Jim Sensenbrenner, who is a congressman, upon discovering the scope of application arising from this relevance standard, following disclosures by former NSA contractor, Edward Snowden, is telling. I quote:

“We had thought that the 2006 amendment, by putting the word 'relevant' in, was narrowing what the NSA could collect. Instead, the NSA convinced the Fisa court that the relevance clause was an expansive rather than contractive standard, and that's what brought about the metadata collection, which amounts to trillions of phone calls.”

While Canadian jurisprudence may well arrive at a different conclusion as to the definition of “relevance” in the context of SCISA, CIPPIC is concerned that there is insufficient guidance within the act as it is currently drafted to ensure it is applied in a proportionate and narrowly tailored manner.

On the other hand, we have yet to hear a compelling case for a general departure from the existing exceptions already embodied in the Privacy Act, which SCISA envisions. Under the Privacy Act, there are two existing operative exceptions that agencies can already rely upon when attempting to share threat-related information with other government agencies. Paragraph 8(2)(e) provides an upon-request exception permitting government agencies to share citizen information with investigative agencies, if asked to do so, for the purpose of carrying out a lawful investigation. In addition, paragraph 8(2)(m) allows proactive disclosure of personal information where the government institution believes the public interest in disclosure clearly outweighs any resulting invasion of privacy.

In the government consultation paper currently being discussed as well as in testimony before this committee, the argument is advanced that these exceptions are insufficient, primarily because agencies lacking a security mandate lack the expertise or incident-specific knowledge to fully utilize the information sharing permitted by these exceptions. This may be the case, but it is by no means clear how SCISA's adoption of a highly permissive and open-ended standard will remedy this.

On the one hand, non-security agencies receiving specific requests from security agencies for data under paragraph 8(2)(e) are able to rely on the requesting agency's guidance. On the other, agencies are no better placed to identify the relevance of specific items of information to unknown or unknowable security threats than they are to assess whether disclosure of such specific items will be in the public interest, as they are already permitted to do under paragraph 8(2)(m). In any non-generalized context, the information being shared will need some specific quality inherently indicating its relation to a known threat for the exceptions to apply. Assessments of necessity and proportionality can occur as readily in such contexts as can assessments of relevance.

CIPPIC would therefore encourage two amendments to correct the existing potential overbreadth in SCISA. First, we would replace the relevance standard within the act with one of proportionality and necessity. Second, we would encourage, as we have in our previous appearance before you, an amendment to the Privacy Act that would adopt an overarching proportionality and necessity requirement that would apply across all government sharing practices, regardless of the specific Privacy Act exception under which they are occurring. This would, as we indicated in our previous testimony, apply to information sharing done under SCISA, as well.

The addition of an explicit necessity and proportionality obligation would create a more precise framework for information sharing than that currently embodied in paragraph 8(2)(e) and paragraph 8(2)(m), employing the known standards of necessity and proportionality, which agencies have experience employing in a national security context. Overlapping protection in both the Privacy Act and SCISA would permit the Privacy Commissioner of Canada to oversee protection-related information-sharing practices while allowing other oversight and review agencies to assess necessity and proportionality within the context of their respective mandates. Supplementing these changes, we would encourage training units within different government agencies, potentially within the existing ATIP infrastructure that most government agencies have, to have expertise so that in-house capabilities can be developed to identify threat-related data.

A little bit more briefly, the “undermining the security of Canada” standard is the other key limiter adopted by SCISA, and you've heard some of this from other witnesses. We would concur with the testimony of these other witnesses in raising concerns that this standard is excessively broad. To assist the committee in its assessment of this overbreadth, we would like to provide two examples of how this overbreadth can lead to disproportionate or undesirable information sharing in a few definite contexts.

Specifically, SCISA's definition of security includes cybersecurity and a broad definition of cybersecurity. A single cybersecurity incident, however, can implicate the private information of hundreds of thousands of Canadians. All data affected incidentally by such a cybersecurity incident could be relevant, and the underlying security breach could be viewed as relevant to activities that undermine the security of Canada and, hence, could be subject to exceptions in SCISA. Given this potential for over-sharing, other jurisdictions have sought to address cybersecurity in an explicit manner that is distinct from other investigative contexts, and that specifically addresses these issues.

Additionally, while SCISA excludes advocacy, protest, dissent, and artistic expression from its definition of security, CIPPIC remains concerned that SCISA's security concept remains sufficiently ambiguous to undermine core democratic functions. We have seen government agencies recently targeting journalists, for example, in attempts to identify potential sources attempting to uncover police corruption. We have also seen the targeting of indigenous activists, not on the basis of their participation in protests per se but on the basis that such participation potentially poses a criminal threat to aboriginal public order events.

It is not clear to us that the prevailing exemption for advocacy and protest would exclude SCISA's being leveraged in these contexts for the purpose of preventing interference with public order. We are aware that the opposite conclusion is also possible and that the exception put in place is overbroad and doesn't allow for information sharing, even in contexts where violence may be the issue, but we feel it is sufficiently ambiguous to allow for either interpretation, and that is an ongoing concern for us.

Finally, CIPPIC is concerned that SCISA will be used as an avenue to feed domestic Canadian data into the Five Eyes integrated infrastructure in an unintended and unanticipated manner. CSE is Canada's lead Five Eyes agency and is a legitimate recipient of personal information under SCISA. While the framework under which CSE and its Five Eyes agency partners operate is presented as nominally excluding or limiting the impact on Five Eyes residents, and the permissive powers and activities granted to these agencies presume these underlying conditions to exist, SCISA could undermine those presumptions by allowing another direct avenue for Canadian information to flow into this apparatus.

Turning briefly to the lack of safeguards in SCISA, CIPPIC joins other experts in voicing our concern at the prospect of the nearly limitless post-collection retention that SCISA may facilitate. The Federal Court recently issued, as Professor Wark just mentioned, a decision heavily criticizing CSIS for its ongoing retention of large amounts of Canadian metadata that was not identified as necessary to any security threat and indeed was explicitly identified as not necessary to the resolution of any security threat.

In our analysis, SCISA could be perceived as providing CSIS with a justification for long-term retention of similar data, were that data disclosed to it through SCISA's information-sharing mechanisms. But we also note, more importantly, that other agencies such as the RCMP and CSE lack any form of retention obligations. We would suggest that the remedying of this lack of retention obligation would be best achieved through overarching amendments to the Privacy Act that would apply across all of government and impose an overarching retention obligation.

In addition, other overarching safeguards that could be adopted within the Privacy Act could provide additional safeguards and a better framework for legitimate information within a modified and reduced SCISA. These safeguards could include the adoption of privacy impact assessments and a more robust enforcement of the Privacy Act.

Those are my opening comments for today. I would be pleased to take your questions.

Thank you.

Thank you. It's an intriguing question. I may not be the best person to try to answer it. I think it is an important question. It was raised, if my memory serves me properly, with the Privacy Commissioner in the previous session.

The best I can do is to give you my quick understanding of this, which is that there is a distinction between an entity listed in SCISA possessing information, if possessed lawfully under provisions of its own mandate, and the flow of information through the SCISA system to the receiving institutions. My assumption about the question of where the warrant regime sits in SCISA is, in part, based on the analogy with part C of CSE's mandate for assistance to CSIS and other security and law enforcement agencies. In other words, if an entity in SCISA possesses information under its own lawful mandate, and it has the grounds, which according to the act are as overly broad as these grounds might be, to share that information with another entity, then the receiving entity—in this case, perhaps, CSIS or the RCMP—would be receiving that information under the lawful authority of the original collector. From its perspective, as long as those receiving agencies had an appropriate mandate to receive that information, then they wouldn't require a secondary warrant to acquire it.

It's a very complex scheme, and I think it feeds back into the suggestion you've heard from many of us who have testified on SCISA, that the problem is created by the nature of the principles underlying SCISA, their overbreadth, and in particular the definition under which the act is meant to operate.

Along those same lines, the Federal Court hinged its decision on the fact that CSIS is mandated to collect information lawfully only if it deems it necessary to address a threat to the security of Canada. As Professor Wark mentioned, if it received it through SCISA legitimately, then it now has legitimately received that information, and it doesn't need to rely on its authority within the CSIS Act, which already has a necessity limitation built into it. I think it's subject to interpretation either way, but SCISA could be seen as overturning that decision in a way that would allow CSIS to legitimately receive metadata, which it could not collect on its own footing, and to then retain it indefinitely.