Thank you.
Chair and members of the committee, I am grateful for the opportunity to appear before you to provide some views on the Security of Canada Information Sharing Act, or SCISA, which is now embedded in Canadian law following the passage of Bill C-51, the omnibus anti-terrorism legislation introduced by the previous government in 2015.
C-51 provisions came into force, as you know, in August 2015. The Liberal Party promised to repeal the problematic elements of Bill C-51 and is currently engaged in the process of public consultations on elements of Canada's national security, but the government's plans with respect to any possible amendments to SCISA, in particular, have not been revealed.
SCISA appeared as part 1 of Bill C-51 in 2015. I was invited to appear before the Standing Committee on Public Safety and National Security on March 24, 2015 to testify on Bill C-51 as a whole. In my testimony, I divided the measures advanced in Bill C-51 into three baskets: first, those elements that can genuinely advance security capabilities in a reasonable and proportional way; second, those that do not advance our security capabilities or fail to maintain the vital security-rights balance; and third, those that, I think, deserve to be put on hold for deeper reflection.
In March 2015, I placed SCISA, or part 1 of C-51, in the first basket, of appropriate security enhancements. I also argued, and I quote myself, that SCISA “would greatly benefit from some detailed amendments...to bring greater clarity, heighten...efficacy, reduce...overbreadth, and bolster the security-rights balance.” Despite considerable public criticism of SCISA, no amendments were made to the act before it was passed into law. Nothing that has come to my attention since the passage of SCISA in unaltered form changes my essential view—that SCISA can and should be amended.
In terms of advancing security capabilities, the purpose of SCISA is, presumably, to try to ensure appropriate information sharing through exhortation, through a broadening of the information-sharing regime to encompass a large number of listed entities, and to allow for expanded information sharing under an altered definition of “threat”.
The committee has heard from eminent legal academics versed in national security matters, from a civil society actor, from the Canadian Civil Liberties Association, from government officials, and, earlier today, from the Privacy Commissioner of Canada. The perspective I offer is informed by my understanding of how intelligence and security systems regulate their information systems. I'm sorry if what follows sounds a little philosophical, but it has a practical point.
The specifics of SCISA need to be examined in the context of five guiding principles that should inform any effective information-sharing system for intelligence and security purposes within government. These principles have long been recognized and are as follows: the need to know, the need to share, the need to secure, the need to avoid information overload, and the need to be accountable. These needs shape an effective and reasonable information-sharing regime in a democratic system. They encompass lawful mandates as well as privacy and civil liberties protections. They are meant to interact to ensure balance between over-ingestion and under-ingestion of information. They are deceptively simple in the literal sense of their meaning, but not easy to operationalize as a package.
I want to just run through these five principles briefly.
The “need to know” principle refers to limits on information sharing that are shaped by the lawful mandates and operational needs of the agencies involved and by the requirements of information security. The more sensitive the information—the more that information might reveal details of intelligence sources and methods—the more intensively does the “need to know” principle come into play. “Need to know” can also be infected by non-operational imperatives, including bureaucratic politics, management styles, and personal proclivities on the part of officials working in the security and intelligence system. It is important that the “need to know” principle operate appropriately as a limiting factor, but it is equally important that the principle not be shaped by extraneous dynamics.
The “need to know” provisions in SCISA are generally weak and under-defined. Paragraph 4(e), under “Guiding principles”, sets out in a very general way the authorized actors in the revamped information-sharing regime. Subsection 5(1) of SCISA posits a need to know based on the notion of relevance, again a very general and potentially overbroad measure.
While it would never be possible to strictly operationalize a “need to know” function, because to do so might be to hamstring any information-sharing regime, SCISA errs, in my view, on the side of unhelpful generalizations, compounded by the implication of subsection 5(2) that, once information sharing is set in motion, it can continue down an undetermined path of further disclosure.
One remedy to consider would be to import a version of the limitation set out for CSIS in its act in section 2, through the use of a strictly necessary yardstick for information sharing.
Justice Noël, in a recent Federal Court ruling on CSIS warrants and the retention of metadata, has reminded us of the historical context of that CSIS-limiting clause. As Justice Noël indicated, it may be time to review the strictures of the CSIS Act, but if the strictly necessary provisions of the act are deemed worthy of maintaining, then their applicability to an information-sharing regime for national security purposes seems, to me, obvious.
Then there is the need-to-share principle.
The need-to-share principle rules SCISA. This might be regarded as an “Oh, duh” moment, but the problem is that the principle rules in a completely unbalanced way that, among other problems, might have an impact on the very objective it seeks: more effective information sharing in the interests of national security. There are three problems, I think, with SCISA in its adopted form.
The first is the large number of entities listed for participation in SCISA's schedule 3. This list stretches the meaning of the core security and intelligence community to include many entities with only a very marginal role in national security matters. The list can be further shaped by Governor in Council orders that would not necessarily be in the public domain.
Many of the listed entities will be only bit players, at best, in the scheme. The recent annual report of the Privacy Commissioner gives substance to this reality, as he found that in the first five months of SCISA, only five institutions utilized powers in the act. A bigger problem is that while agencies outside the core security and intelligence community might on occasion have valuable information in their possession, they lack the attributes of rigour, methods, and understanding of national security matters.
The SCISA entities listed in schedule 3 should, in my view, include only core elements of the Canadian security and intelligence community. These can be identified and, in keeping with this, the list should be considerably reduced from the 17 named organizations. Moreover, I think there should be a requirement that all listed entities have a common formal memorandum of understanding to guide their information-sharing practices internally.
A second problem is the expansive justification for information sharing provided in SCISA. As noted, the justification found at subsection 5(1) is relevance, which is not, in my view, a tight enough criterion as it does not provide any rigorous guidance and does not allow for any real accountability. Relevance needs to be replaced by some form of language about necessity and should include a measure of proportionality that is linked to mandates and to threats.
The third and arguably the mother of all these problems is the question of how SCISA defines the nature of the information to be shared. SCISA adopts a new definition at section 2 regarding “activity that undermines the security of Canada”, and I know you've heard a lot about that. This is a more expansive and open-ended definition than that provided in the CSIS Act, and I have heard no good argument for the change.
While I appreciate that the drafters of the legislation may have felt that a broader definition of the kinds of threats that now impact on Canada may have been required, on balance the definition they provided does not advance the public interest and has sown confusion and, in my view, many misplaced ideas about the powers provided for SCISA. A replacement use of the definition of threat in section 2 of the CSIS Act advances many of the same objectives, is an established criterion, and would provide greater clarity.
In particular, paragraph 2(i) of SCISA, as it currently stands, introduces a very dangerous dimension to government powers insofar as it opens the door to foreign interference in the domestic politics and sovereignty of Canada. It is also unclear to me how the SCISA definition of undermining the security of Canada operates for CSIS—one of the core agencies in the national security information-sharing regime—alongside its own mandate of threats to the security of Canada differently defined.
Fourth is the need to avoid information overload. Very briefly on this, one reason that it is important to find the right equilibrium between the competing demands of the need to know and the need to share involves the potential problem of information overload. If agencies and departments under SCISA are flooded with information that is ultimately not necessary to national security, not only does this information flood waste resources and personnel and impose additional burdens in terms of information security but it also hinders the overall operational effectiveness that is so important in a security and intelligence system that must constantly adjust its work according to its own calculations of threat and risk and that is always under immense resource constraints.
A too-expansive information system is not a precautionary measure; it can simply be an unnecessary burden. Too much information can be worse than too little.
The need to avoid the information-overload principle cannot be directly legislated. It has to be a product of the proper balance between need to know and need to share.
With regard to the need to secure, although SCISA contains an element of exhortation, particularly in sections 3 and 4, there is no exhortation regarding the related requirement in any information-sharing regime, and in particular in a more expansive system, for the careful protection of shared information. In an age of increased cyber-threats and in the face of the usual human proclivities for error and mishap, an expanded information-sharing regime must be accompanied by greater information-security practices. There is nothing of the sort in SCISA.
One way that such practices can be subject to internal self-examination in the departments and agencies involved in information-sharing is through mandated privacy impact assessments, but I note that in the 2015-16 annual report to Parliament by the Privacy Commissioner, only two of the 17 entities authorized to collect information under SCISA had deemed privacy impact assessments to be necessary. Even in those two cases, the privacy impact assessments, which under Treasury Board guidelines are meant to inform policies prior to their being fully implemented, were still being developed.
Another measure that could be considered in amendments to SCISA would be to provide an authorized role for departmental security officers in monitoring and reporting on information security measures.