Information & Ethics Committee on Dec. 6th, 2016

Thank you.

First of all, thank you very much for the invitation. It's a pleasure to be before you.

I've had the opportunity to read the testimony from your previous witnesses and I hope not to repeat what others have said.

I want to contextualize my remarks and my evidence before you in the following way. Information is the lifeblood of all intelligence agencies. Without information, there's no intelligence. I'll repeat that: without information, there's no intelligence. In order to effectively have a proper security intelligence apparatus, you must have information.

In these times, you all know that we're swamped with information. Everywhere you go, there is information. The government collects an astounding amount of information on every one of you; on every aspect of each of your lives, the government has information. The ability to maintain all these bits and bytes of our lives poses a huge challenge for our society in the private sector and certainly for government in the public sector.

I can tell you that as commission counsel on the Air India public inquiry, I had a front-row seat to a failure of information sharing that had catastrophic consequences. When I led the evidence of the victims' family members in part 1 of our inquiry, as counsel—I do a lot of trial work and a lot of appeal work—it was amongst the most challenging evidence I've ever had to lead. The impact on those folks was real and remains so today. It remains tangible today.

Similarly, although not as commission counsel, I acted in one of the closed proceedings in the Arar matter. I was involved with some of the folks who did that. I can tell you that the failure to have a proper, regulated flow of information has had similarly catastrophic consequences for that person, but not only for Mr. Arar: it also has had catastrophic consequences for the agencies involved, and if the agencies come before you and say it didn't, I'm here to tell you that it did. No agency wants to be complicit in such a thing.

It becomes even more important now when we have a change in administration in the United States. The CIA is a vast organization that collects a tremendous amount of information and floods the intelligence community with information. If that agency begins to be more aggressive, what are our agencies going to do when the information floats into our data set? How are we going to vet it? How are we going to protect against it?

What I'm most interested in is trying to orient this committee, if I can, to take an approach to this legislation that is, for lack of a better phrase, a grown-up approach. This legislation is immature in a number of ways, and I want to underscore particularly this point. None of us wants the agencies that are charged with protecting us to be starved of important, necessary information. None of us wants that, but we all must also want a refined approach to information sharing that, in my respectful submission to you, more properly balances privacy with necessary information sharing. This legislation doesn't. You've heard from my colleagues, Professor Roach and Professor Forcese, and you've heard from the Privacy Commissioner. The evidence of all three of those folks I agree with entirely.

I want to underscore something about one of the problems with this piece of legislation. It is about a lack of accountability. I mean particularly this. As I said at the outset, lots of information is gathered on each and every one of you. Under this legislation, one of the problems is whether or not the phrase “activity that undermines the security of Canada” is constitutionally compliant. In other words, is it so vague that it would be a violation of section 7 of the Constitution?

Leaving aside esoteric notions of legal theory, the practical concern is that vagueness in that legislation is a gateway for bureaucrats to pass information. Also, it's deployed almost entirely by representatives of the executive branch, without any serious prospect that anyone outside the executive would know what's happening or how it's being applied.

For example, not one of you will know that information about you is passed from one of the 17 agencies to CSIS. You just won't know. You'll have no recourse. Even assuming that you had some information somehow, there is no place for you to go with it. There's no specialized review body. There's no court process. There's no way for you to hold the government to account.

I know we have limited time, but I want to conclude my opening remarks with this notion that I urge upon you with as much force as I can: fundamental to any democracy is the ability to hold government to account for its actions. That can mean in court, at the ballot box, at an administrative tribunal, or in a review or oversight body.

However, blind faith and trust in government is not a virtue. Blind faith in CSIS, the RCMP, and all of these other agencies is not a virtue.

Instead, each one of you must have at your disposal the ability to call government to account for its excesses. Given the ubiquitous nature of information and the extent to which it reveals our tastes, preferences, and inner thoughts and beliefs, any regime that authorizes the sharing of information must be refined to regulate sharing that is necessary to protect national security. All of this requires—in my respectful submission to you—more conservative definitions and a more conservative approach to protecting information and ensuring that information that's necessary is delivered to the agencies so that they can discharge their duties.

In closing, then, the relationship between the citizen, his or her information, and the various government agencies is something that needs to be recalibrated in this piece of legislation.

There are a number of different ways it can be done. You have heard from some witnesses who have indicated changes in definitions. Those are all useful. I appreciate, though, that it may be beyond the remit of this committee. The notion of an independent reviewer is necessary, as well, as part of the framework of oversight and review in the national security environment. A committee of parliamentarians also may be able to do some work in this area, depending on how that committee is structured and staffed.

Really, in this moment when we have such upheaval around the globe, when various intelligence agencies are forwarding information to our intelligence agency, and when information is being domestically being harvested, we cannot not take this opportunity to apply a rigorous standard. If we don't, sadly, what might happen are events like the two horrific events that have happened already: Arar for the agencies and for Mr. Arar, and Air India for all of those folks.

Those are the comments I wish to open with.

Again, I thank you very much for the opportunity to address you.

Thank you for the question.

I think the bill itself—or rather, the law now—was so fundamentally flawed that whatever redeeming qualities it might have had were outweighed by the flaws. I usually use this example. If I bought a house that had a crumbling foundation, I wouldn't throw a few coats of paint on and say, “Let's keep this.” I'd say, “Let's start again.”

Let's go through some of the essential elements of Bill C-51.

The CSIS provisions give CSIS secret disruption powers to essentially disrupt people's lives and take actions that could result in disasters, as Mr. Kapoor said. They are a non-starter in a democracy. Things could happen to people, and they would never have legal recourse. They happen in secret. They would never see the light of day.

In a criminal context, police get warrants and they do have secret wiretaps, but ultimately it sees the light of day. You have a day in court. That's essentially our system. When the state acts against you, you have the right to defend yourself. When CSIS acts against you under these disruption warrants, you will never know and you will never have the right to defend yourself. Whether you're guilty or innocent, you won't have a shot to defend yourself.

Let's talk about promoting and advocating terrorism. First of all, the definitions in there are loose to begin with. The Criminal Code already has always had counselling offences, so when you're involved in criminal activity and encouraging it, you can be caught.

The Anti-terrorism Act, 2001 introduced criminalized actions that were removed from action, such as facilitating terrorism or encouraging someone to start committing a terrorist act. I had critiques about that, but it was still close enough to the act. In criminal law, what you want is to criminalize the act. Terrorism is essentially violent acts. They want to kill someone, so let's say it's killing someone. If I facilitate you to do that by encouraging you, giving you money, talking to you, I can be caught there. As a democratic society, we want to capture the act or something close to the act. If we get far from the act, we're starting to stray from our criminal law and democratic principles and we're starting to criminalize speech. What I learned in law school is that you don't pass redundant laws.

In the Anti-terrorism Act, 2015 we already had facilitating, which is close to the act. Then this must be something further removed from that, so now we're getting very close to criminalizing speech. I'm not saying I support people who say things that encourage terrorism. Of course, we all condemn that, but we live in a society where we tolerate some of that offensive speech.

The Immigration and Refugee Protection Act amendments in Bill C-51 essentially rolled it back, and Mr. Kapoor can speak to this in more detail because he is a special advocate. The Charkaoui decision said that in the security certificate process, secret proceedings where a judge sat alone with a CSIS lawyer were essentially unconstitutional. They introduced special advocates to represent the interests of the named party on the security certificate. Bill C-51 essentially rolls that back. IRPA was amended to say that the special advocates don't have access to all the information. It kind of undoes what the Supreme Court has told us.

Those are three pieces of it.

Let's talk about the no-fly list. We can debate till the cows come home whether no-fly lists—

I'm happy to do that. I understood that Mr. Long asked me about scrapping Bill C-51, but I can stick to SCISA.

In SCISA, as I said, information sharing needs to happen. We see the extremes. We see Air India and Arar. We see both sides of it not working.

It needs to work, but as Mr. Kapoor said, it speaks of activities that undermine the security of Canada, and then it lists a number of things in the act, which I'm sure you've all seen, and that is not the list. It is an open-ended list, given content by bureaucrats across government. Those are just suggestions about what undermines the security of Canada; it could include other things.

Essentially, the definition is the heart of the bill. You start with a fundamentally flawed definition and then you start to share information. There are no controls on how that information is shared. The door is open for sharing with foreigners, and that could include Saudi Arabia, and now, with the Trump administration talking about torture, it could be there.

Then I'll point out to you section 9. Section 9 says that when someone shares information and it harms a Canadian or some person—but let's say a Canadian, as in the Arar case—they're immune from paying out compensation or being sued for it.

It's essentially a busted bill. What we need to do is say that information needs to be shared, that it needs to be reliable, that it needs to be in compliance with the charter and the rule of law, and we need to make sure that CSIS actually works with the RCMP to move intelligence into evidence and get real terrorists off the street. The CSIS amendments actually are counterproductive to that.

My reading of it is convoluted. I believe you've heard Kent Roach, and I concur with Kent and Craig Forcese in their testimony that it's a bit of a dog's breakfast. Nobody is entirely clear, because the act uses very general terms—“will comply with” laws unnamed.

Then you read the green paper. I don't want to quote it right now because I don't want to delay us, but essentially it says we can share information subject to any prohibitions in law without naming those laws.

The suggestion is that the Privacy Act is there to protect people's privacy. You read the green paper and find that it says the Privacy Act has a number of exceptions, and rightly so. One is lawful authority: the police can come.... Then the green paper says that SCISA is considered to be a lawful authority.

Essentially, the Privacy Act is nullified by that reading. If that's the legal interpretation that government lawyers and staff have of SCISA, then I'd say the Privacy Act protections are not there.

Is that to one of us or both?

Obviously we live in a globalized world on all sorts of levels, including intelligence and security, and the threats that are out there are obviously globalized threats. It is important that we have relationships, but I believe it is also important to keep in mind our values in how we interact with the Five Eyes allies.

Saudi Arabia is not a Five Eyes partner, but I've used Saudi Arabia or states like this as an example. SCISA says that activities that undermine the security of another state hit the radar here. Does that include Saudi Arabia? If we are talking about Raif Badawi or about trying to change the government in Saudi Arabia, does that get people here on the radar? That's problematic, but I'll leave it for a minute and go back to the Five Eyes.

We need to share with those allies. One real problem now is that Mr. Trump says that waterboarding is just the start, and that he will kill the families of people who are suspected terrorists. Essentially, he is negating U.S. obligations under domestic and international law. The U.S. is our biggest partner in terms of information sharing on national security. I would be worried about how we protect our values, which are to share but to comply with the charter, the Convention against Torture, and the rule of law, essentially. Canadians need to interact with the world, but we still need to be Canadian. We need to take our values with us. Those are important relationships, but we need to be careful about how we engage and what we share.

I'll give you Arar as a classic example where we were sloppy in our sharing, and that led to a problem.

That's my answer—we need to do it, but we also need to be very conscious of injecting our values, protocols, and protections into that interaction.

We have to be a robust part of the Five Eyes. Culturally, we are all connected. Broadly speaking, we have the same sort of democratic structures and geopolitical positioning. I think the Five Eyes is a crucial alliance—if I can call it that—and we have to be a player in it.

I think you asked whether it was a good thing. I think it's a good thing.

I would say that it's important to participate and to be involved in it.

Some of these countries have threat levels that are radically different from ours. For example, the threat level in the U.K. is much higher than the threat level here. Their tolerance for incursions on the ECHR, or what we would call charter rights, is calibrated differently as a result of the threat environment.

If a state has, let's say, indefinite detention for 14 days, that doesn't necessarily mean that we ought to deploy that tool, even if they are Five Eyes. When it comes to information sharing with our Five Eyes partners, I think that's crucial, but the tools that we deploy are tools that are made in Canada and relevant to the Canadian threat environment.

In the case of the U.K., not a lot is known about the internal ministry arrangements. Much of it gets done at the ministerial level. There is some control of information by various administrative bodies, and certainly the independent reviewer in the U.K. reviews the extent of information-sharing.

In Australia and New Zealand they have information-sharing arrangements between, for example, federal and state police and ASIO in the Australian environment. Information does, then, get to be shared.

From a comparative law perspective, whether their particular tests for sharing information comply with ours or not, I couldn't tell you offhand. I can find out, as could one of your clerks, I suppose, but my view would be that the test of relevancy is too low in our statute. The test should be that it be necessary, as Daniel Therrien mentioned in his evidence.

I want to round out by responding to something that some of the service witnesses said on this question, and that I think Scott Doran from the RCMP said as well: that there's the sense that no one is going to know in some other agency what CSIS's mandate is, so how do I know whether it's “necessary” for CSIS? How am I going to divine that?

If you look at their testimony, you will also see that they talked about these agencies' having sectors or groups within the agency for whom there's going to be training on how to comply with the statute. Well, if there's going to be training on how to comply with the statute, you can train them to understand what “necessary” means for CSIS. It's not rocket science. CSIS does it; they deploy it. Somebody sitting in Health Canada, then, or one of the other agencies—CRA, let's say—can learn what the mandate is and can apply it. It's not as if it's mysterious; it's just a matter of training.

I'm sorry; I think I took too long.

Very briefly, then, and I'll let my colleague pick it up, the concern here is that you have two ends. You have the relevancy test for passing information over, and it's information relevant to activities that undermine the security of Canada, meaning the sovereignty, security, or territorial integrity of Canada. I sense that it's an incredibly broad definition, and the examples that are given are simply illustrative; they're not closed sets. Even if they were closed sets, even within them they're pretty broad, so you have broadness on both ends of this equation.

The concern I have with robust information sharing along these lines is that there's no real control for false positives. I appreciate that when it gets to the service—let's take the service as an example—they will apply their analytics and will ask whether this person is really engaged in something that undermines the sovereignty of Canada, whatever that means, and whether they'll take any national security action against the person.

However, it's rather like this: once they're on you, they're on you, and they just don't let go. It sits in the database, and there are no real retention issues spoken about here in this legislation. There are, at the service; they have their own retention standards, but what I'm concerned about is that the agency that sends information on, the transmitting agency, doesn't really turn itself to false positives. The “necessary” test would impose some rigour that at least has the prospect of doing so more efficiently than a relevancy test would.

Part of the training for those folks who are in the transmitting agencies is to really have some understanding of national security and to appreciate the ease with which there can be false positives. If you're alive to that possibility, then you'll be vetting for it, and the risk is diminished on the false positive side.

That's what my concern is.

Yes.

I think it ought to happen at the transmitting agency side, and it will happen anyway at the surface.

They will vet and employ analytics in any case, but in order to maintain protection for privacy rights, it ought to happen at the transmitting agency as well.

I concur with my colleague's comments. How do we find reliable information? That's what ought to be shared. That reduces the hay pile, for one, so we can get at the needles. The other piece is that then we avoid mistakes.

I'll give you some hypotheticals. Let's look at the definition, as Anil's pointed out. The real risk is that we've cast the net so wide when it was styled as “terrorism”. Terrorism is item (d) here. That's not even a Criminal Code offence, so that's something that needs fixing. Let's assume that's one piece, and we can agree with that. Nuclear proliferation and all of those are fine. Those are national security issues. However, then it's so broad that it's open-ended. Who hits the national security radar? If you see my submission, that little chart shows whole-of-government information sharing, so all these disparate decision points across government are making a low-threshold test to put information into this bucket. Someone may say, “Well, I have nothing to hide”, but in today's world, with data management....

Let's use my Saudi example. You're involved in trying to get Raif Badawi out of that hellhole in Saudi Arabia and you go to protests. The Saudis' intelligence says, “Some of these people are causing trouble for us.” Obviously they have a very low threshold of what's undermining their state security.

These countries usually see everyone as a terrorist. You or I are going to a protest, starting a petition against Saudi Arabia, boycotting Saudi oil or something, and we get picked up on their radar, so now we're in this bucket of data. It isn't just that piece of information, but it's the data crunching now as well, because it's whole of government. Now somebody might say, “Well, you know what? I've flagged someone of some suspicion at that low threshold, so let's see what else. Let's see what FINTRAC has on this person.” Those points are then put together and may create a false positive suspicion, so it's not clear, but there's a lot of data mining and data crunching going on through analytics.

Then we may share. This is the Arar-type situation. We may then say, “Here's the Saudi threat profile of protesters in Canada, and let's share it with the United States or with Saudi Arabia.” Then, after the fact, we may say, “Well, this was a mistake.” In our case, the agency may say, “Well, Ziyaad's cleared; expunge him from our CSIS database.” First of all, you're now in a bunch of other Canadian databases, so who's controlling that? The rules on retention and expunging are not clear. They're not even not clear; they're not there.

Then the other piece is, who's reeling back the information? In today's world, you see what a tweet does. You can't reel back a tweet, and this is much worse than a tweet. The worst thing would be if your name shows up and you're flagged and you go somewhere. Arar showed up in the U.S., and he was sent to Syria. Many Muslim Canadians travel to Saudi Arabia for a religious ritual, but if you now show up and land in Saudi, everything's integrated. Your passport's scanned and you're red-flagged there, and there's a real risk you won't just be sent back: you're going to be kept there, and that's worse than being sent back.

Those are the types of risks with data mining and harvesting all sorts of information under this very broad definition. What does “undermining the financial stability of Canada” mean? We make the debate about people who are involved in activities that criticize Canada's policies or whatever, and that's fine. We should have that debate. My worry is that this definition is going to put all sorts of innocent Canadians onto the national security radar when they should not be.

Yes.

That's a tough nut to crack, because I'm not an IT guy. I'm an Indian guy, but I'm not an IT guy; I'm probably one of the only Indian guys who doesn't know anything about computers.

Oh, oh!

I think the one of the solutions is to have a sort of centralized control over it. I recommended in the submission that there needs to be some centralized control of information sharing. The departments could do their piece, but somewhere in government—maybe in Public Safety—there would be someone overseeing all of this. The Privacy Commissioner and SIRC and everybody will do their audits, and we're calling for a national security review agency. Those will be the watchdogs, but someone in government needs to be shepherding the whole thing by asking what's being shared, what are the thresholds that are the same across government, and then asking, “Are we doing this and is it consistent?” Then if there's a false positive or something, that person or that entity within government would be able to issue instructions across government to say, “Search your databases for this record and this person and remove that information.”

It's not a fail-safe method, because government is so huge and people forget and whatnot, but it still leaves us with the real problem back in the world, because if it has left here and has gone to the Five Eyes or to Saudi Arabia, we'll never get it back. We have no control over how they deal with that information. We don't even have control anymore to tell them that they have to use that information “relevant to these issues”. They could use it for some other purpose completely.

I think there's a possible fix, but in today's big-data world where there is so much information, it's very hard to clean that up. I think one attempt would be a centralized review, and then a way to issue instructions across government.

Take, for example, the no-fly secure air travel passenger protect program. I don't even know what's happening, because it's shrouded in secrecy. We can debate about whether it works, but let's say you get the passenger manifest and you check for the names. If none of the names are on the flight and the flight lands safely, why should that information be kept?

I remember Bill C-17 years ago, when they introduced the regulatory framework for the no-fly list. That information could be shared around and kept indefinitely. I do not want the travel data of all Canadians flying on Canadian airlines kept in government databases to then be mined for travel patterns. We know that CSIS and CSE have played funny with metadata and and have crossed the line.

You have metadata and travel patterns, and you might be pulled in here now. You can see that all of this is there in government databases, and the preamble to the act says that there is the ability to collate. That, to me, is data mining. That's what it's enabling. Clearly, that's what part of it is. We do need to do some of that, but again, the net is cast so widely.

My starting position is that Canadians' privacy needs to be protected. If the government doesn't need to have information about you to do business with you—to vet your taxes or your health records—they should not have it as a starting point. If they have collected it in this process of security screening, once you're not a suspect or the flight has landed, etc., they should expunge that information. That's how we minimize the databases and avoid errors.

Generally speaking, in intelligence matters there is an implicit caveat. When the service passes intelligence—let's say, to MI6 or MI5—there is an implicit caveat that it remains the property of the service and will not be passed on.

Generally speaking, as I said, intelligence agencies tend to abide by this notion of an implicit caveat. There are also explicit caveats that are placed on intelligence that will say “Not to be used for...”, and you fill in the blanks. We rely upon our partners to follow those caveats, as they rely upon us to follow theirs. There is a mutuality to it.

I think that when you step out of the Five Eyes, European intelligence agencies will probably follow the caveats as well, for the most part. When you get further afield, it's much more difficult to ensure, but within the Five Eyes I think caveats are well respected, and everybody gets the protocol.

I want to add something very briefly. I'm going to part company with my colleague here on the question of retention, and I'm going to do it in this way.

To the extent that the service properly receives—and I underscore “properly”—information about national security threat information, I don't think it's wise for the service to destroy it. I don't think it's wise. Today it may not mean much, but 10 years from now or five years from now, when circumstances change and you're continually revising your analytics, you need to have a rich environment to be able to stay on top of the threat environment.

I think that with respect to information that's properly in the hands of the service—and I underscore “properly”—they should be able to maintain their files.

Well, no. I do accept that, but I'll give an example.

Let's say that you destroy a piece of information, and three years later. something happens. Perhaps a bomb goes off somewhere.

Where was the information? Why did nobody know about it? Well, you've destroyed the information or you weren't able to stay on top of that particular threat circumstance.

I think it would require extraordinary circumstances to destroy information that the service properly has, because they have an ongoing national security mandate.

From my perspective, if the service takes action and they do something and pass it to the RCMP for an investigation, it's going to end up in a court process, but I think it would be wrong to put an arbitrary time frame on how long the service should maintain it.

In terms of the principles in those arrangements, you've heard from others that reliability is a core principle. We've talked about relevancy versus necessity. I'd concur with my colleagues Roach, Forcese, and Anil about necessity being a threshold. I believe Professor Forcese talked about “materiality”. I think that gets us more reliable information, so changing that standard would help, as would ensuring in those arrangements that there is rigour in the sharing, that we're looking to those criteria, and that there is necessity as well.

We talked about the life cycle of data. I'd like to see something about that. I don't entirely disagree with Mr. Kapoor. Yes, relevant information needs to be maintained, but a lot of irrelevant information may be pulled in, especially in the case of SCISA. That is what I'm concerned about. Therefore, I think those arrangements should also have an eye to the life cycle. How is data shared? How is it used? What happens to it afterwards? Also, is there some tracking of where it has gone within government agencies?

I come back to my suggestion that there be some kind of stickhandler in government who is overseeing this and setting standards in creating these arrangements, maybe with a model agreement or an arrangement that comes from the centre and has gone out to agencies.

On this issue about necessity and the nature of the information-sharing agreements, I don't necessarily agree that materiality is a workable test. I am saying that because I think necessity is much easier to manage.

Materiality brings into relief not only what you know at the transmitting agency but also what the recipient agency or the requesting agency knows, because under this legislation the service could request from any one of the other 17 agencies. It's unworkable to say that the transmitting agency should know the service file. We have one intelligence agency, CSIS, so if CSIS thinks.... Pick somebody else, such as the CRA or the Department of Health. Let's say that for some reason CSIS thinks the Department of Health has important information for their case. The people at the Department of Health aren't going to know the entire CSIS brief, nor is it practical for them to know it, but they would need to know that to execute on materiality.

Necessity, by contrast, I think is more modest. The service can warrant why it's important to them, and Health Canada can then do its own due diligence on its own side. Materiality is just a very broad concept that brings it into a whole mosaic that I think is just not practical for all the various agencies to transact in parallel.

It certainly allows for sharing of information, but this problem that existed in terms of Air India was really the result of a very immature approach by the RCMP and CSIS to their respective mandates. Of course, keep in mind that CSIS was a baby at that time. It had just been created.

The infrastructure problems and the lack of coordination that we saw in Air India have to a large extent been ameliorated by changes in the way in which the RCMP and the service deal with each other on a regular basis. That problem is working itself out, and the agencies are much closer and have a much more mature relationship today than they did then. This statute doesn't really affect that. It's going to happen anyway; it happened before this statute. The statute doesn't really enable that. It's just kind of more stuff, more information, but the real rigour happens in the ways in which those two agencies have decided to change how they coordinate with each other.

I'll take a quick shot at it, and then I'll let Mr. Kapoor handle the rest.

On the all-of-government sharing, clearly some government agencies may have information that would be useful in national security investigations. In terms of casting the net that wide, I don't know if a case has been made that it's just every conceivable government agency. That would be the troubling thing—that it would be cast so wide—but I wouldn't say that no other agency, other than national security agencies, would have information. Clearly there may be information in other agencies that may be useful in a national security investigation.

To answer the question, there's a bit of irrationality going on here. The primary actors for national security are the service, the RCMP, the CSE, and then National Defence and the CBSA. Let's call them the main actors.

When you drill away from that and look at the Department of Transport, they may have a national security remit, but it would be sort of a knock-on remit, if I can put it that way. Let's say CSIS has intelligence about some weakness to some rail system somewhere, or somebody's going to blow up something at a rail system. They would then want to activate the Department of Transport for assistance, and our provincial partners as well.

It seems to me that it should be about information getting to the main actors in national security, because that's what this is about. It's not just simply the service giving information to the CRA to help them collect your taxes.

I don't agree with that. The section says “any person”. My concern with this....

I would agree with the first statement, that this act purportedly encourages information sharing. You don't need section 9 to do that.

I didn't have a chance to read her testimony, but the other piece is good faith. They may hang their hat on that, saying that these aren't malicious shares, but you can be negligent and act in good faith as well, in my view.

I think it includes the crown. I think it's pretty broadly worded. I think it's disingenuous to suggest that this facilitates sharing or—

—encourages that. I think civil servants should be acting in good faith all the time, and I think they should act within the law. When they step outside those bounds, the government should be held accountable. That would be my position.

Really, this is just an indemnification issue. The government has to be responsible for mistakes. Individual persons are on this team and are transmitting information. Just by indemnification, the government can solve this problem so that they're not hung out to dry. From my perspective, we can get rid of this provision and have proper indemnification agreements.

The Privacy Commissioner plays an important role because of the privacy protections, but the Privacy Commissioner is not a national security expert. That department does not have that expertise. That would be one of the issues. Would they have the clearances to get at everything and look at everything? That would be a concern, although certainly the expertise of the Privacy Commissioner is welcome.

The recommendation I've also made is that other than the committee of parliamentarians, we need to have one unified, arm's-length, well-resourced review agency—some call it super-SIRC, but I like it call it the Canada national security review agency—to oversee all of national security. That organization could play a role in reviewing information sharing as well. The other piece, which I don't think would be touching as much on information sharing as on the law policy side, is the independent reviewer of national security law and policy.

The last piece I've suggested is that within government itself, probably within Public Safety and reporting to the minister, there should be some sort of information-sharing czar to oversee all of it. When you have all these pieces moving, we could actually have a national security disaster if something weren't caught or we could have a disaster when mistakes were made. Someone in government who's actually a bureaucrat could be overseeing all of this and reporting to the minister.

Those would be all the pieces, I think. There would be one from the public watchdog side but also one in government to make sure all the parts are moving well.

I'll try to be quick without going through the whole list.

I think the amendments were essentially on lawful advocacy. I believe there was one other amendment, and it was to section 6, which says that information can be shared for any purpose. The complaint I had was that this was essentially completely unwarranted, even in this broad act. Once the recipient agency has it, it can then be shared anywhere, including with foreign agencies, for any reason. There was some amendment to that.

I don't think those amendments essentially changed the core of my concerns. I'll just quickly go through them.

The word “lawful” was dropped on the advocacy. That is fine, because the complaint was that people can be unlawful but not violent, just civilly disobedient, and do we want to pull those people into the national security net? I don't think any of us want to do that.

I believe that Professor Roach and Professor Forcese raised the issue of violence. I concur with them that you need to clean that definition up to make it a little tougher. It's a little loose now. It needs to mirror the Criminal Code's lawful exemption, where advocacy, protest, and dissent that are not violent are covered. They could be unlawful but not violent, and we would all probably agree on that.

I don't think the other amendment on section 6 actually changed anything. Some words were changed to say that sharing is neither allowed nor prohibited but must comply with law. The question was, which law? The green paper's legal interpretation of the Privacy Act is that SCISA is a lawful authority to override the Privacy Act. Essentially, section 6 still says that you can share with anyone, and it's not even linked to the purpose of SCISA anymore.

Essentially, those are the two amendments. I don't think they change my concerns with the bill.

Yes.

I think there are two components to any sort of after-the-fact oversight of it, rather than a real-time review. I've said before other committees that I think real-time review is kind of silly. You can't have an investigator out there trying to do his investigation and at the same time being required to show up before a review committee. That's just not going to work. It has to be after-the-fact oversight, and I think there are two components to it.

There has to be an expert component to it—that is, people who are expert in the area of national security—and there has to be what I would characterize as a parliamentary review, which is the committee of parliamentarians.

The committee of parliamentarians is very important because it has democratic legitimacy. It can bring concerns from constituencies to the agencies and can conduct closed hearings as well. I think there is a democratic legitimacy to the committee of parliamentarians, augmented by expert review, which can be.... Justice O'Connor recommended a sort of “super-SIRC” across all the agencies. To the point my colleague was making, we were certainly of the view on Air India that there ought to be a national security adviser.

The expert review has to be across all the agencies, and there needs to be a panel as part of that, but also an independent reviewer, as they have in the United Kingdom. In the United Kingdom, the independent reviewer is tasked often with particular instances, and I'll give one example for Canada: the tragic events on Parliament Hill. It might be important for the population to understand how this happened, what the intelligence agencies knew, and what they did not know. Was it something that could not have been prevented? An independent reviewer can dig in on an event like that in a way that no one, from a public consumption perspective, is actually doing.

From a public relations perspective, it is very important that the public understand what the agencies do. Frankly, a lot of what they do, they do very well. I think that oversight can deliver that message.

I will echo my colleague here. We've called for it for a long time. A committee of parliamentarians is fine. I think Bill C-22 needs some reform, but it's a step in the right direction to give some political accountability and public accountability linked to all of you who are elected.

The first thing is to have a national security review agency that unifies all the agencies, but it would not be separate agencies working together, which I think is too convoluted. You want one counterweight to the security agencies. It makes security better, makes them work better, and gives public confidence.

Second, we need well-resourced experts in the field who can build relationships with the agencies and have access to all information.

Third is that independent review of national security law and policy as they have in the U.K. That person would, in the case of Bill C-51, come and testify on that and give independent advice on it. That person would be able to have access to secret jurisprudence and legal opinions in government and be able to comment to the public and experts with some feedback on what the national security landscape looks like.

No, I think that harmonizes it and rationalizes it to the national security remit.

Yes, on the recipient side I would agree, but on the delivery side, if I can put it that way, I don't have any trouble with who knows what kind of information floats in through any different agencies.

This is about national security, so the hub has to be the lead agencies. They ought to be the main recipients.

I don't, provided that the test is a necessity test.

Yes. I don't see why not. As I said, it's not rocket science. I think it was somebody from the service who testified before you who said we have to educate them on relevancy.

Well, at least it's better than none. I suppose the Privacy Commissioner will have a particular sensitivity to the extent to which information is being passed on when it's not in accordance with this statute.

I don't have a visceral objection to it. I'm more interested in the efficacy of the national security information that's being harvested by our agencies. That's what I'm more interested in, and I think that's something that an expert national security panel can deal with on the privacy side. I agree that the Privacy Commissioner is the appropriate one to deal with that.

On the warrant question, I think both Craig and Kent testified about how this is infirm in relation to section 8, to the extent that it connects to criminal law enforcement. In my other life, I defend and occasionally prosecute on the crime side. I would say that this bill needs to be amended in some way to preserve section 8 rights in the criminal prosecution realm, and there should be a requirement that a warrant be obtained.

What I'm concerned about is a factual situation in which at the national security joint operations centre, they're on somebody. They think there may be some information sitting in one of these 17 agencies or one of the hundred-and-some agencies. They pick up the phone, call down, and say, “Do you know anything about this guy Blogs?”, and the answer is, “Yes, we do.” They say, “Okay, I'm going to make a request.” Then they make a request and they get the information that way, rather than through a warrant.

I don't want it to be misused. I would want the warrant requirement to be preserved here. You can foresee that there will be litigation on that question, so why not just cross it off now?

I would say that in a criminal investigation, you can't make a request. You have to....

When we look at Air India, we see that information wasn't shared, so I think we maybe need to look at new legislation—I mean, it's not in here—and some requirement for the agencies to work together.

Mr. Kapoor has indicated they're doing that, but that's the type of thing we need in an information-sharing law. We need to look at encouraging that information sharing where it's necessary and within the bounds of what we're talking about. It's not about harvesting a lot of information, but about keeping it very focused to the information we need that's related to national security issues.

Then I think information-sharing legislation should look at the principles that we talked about related to the thresholds. That should be laid out in law. Possibly the idea of a stickhandler in government should also be looked at. Those roles need to be laid out.

I think there is a role for law in setting up the architecture. You don't want to just have it happening out there, because if it doesn't happen properly, you'll have a problem, or if it happens in the wrong way, you'll have a problem on the other side, as we've seen with the two inquiries. A good role for law on information sharing is to set up that architecture—to set out the rules and the thresholds, and what the mandates of the agencies are.

To follow up on Mr. Erskine-Smith's point, who's overseeing this? I'm worried that interim measures may become permanent measures, and we'll say we have something. If you can recommend pushing towards coherent controls and review, that would be my suggestion.

I don't think there's much in here that I'd keep. I'd say you could use this as a basis to redraft. As I said, there are a lot of fundamental flaws, starting with the definition.

I think the concept of having regulation of information sharing is a good one. You've heard various criticisms about this particular act, but the idea of identifying agencies that are delivering information and identifying each of the recipient agencies is a good thing.

I would have a slightly different list. We said in Air India that we thought that a national security adviser is important not only for investigations that are both CSIS and RCMP investigations, but a national security adviser could also direct traffic on information. We had a section in there on how that content can be privileged so that it doesn't necessarily end up in a court case. Having a robust national security adviser goes some way of directing the traffic, not only in terms of investigations but also in terms of information sharing. There just doesn't seem to be an appetite for that on the part of the agencies.

This goes to the root of my concern. The target of information that would reach the threshold is so broad that it's not even broad: it's open-ended. It's already set up to become something quite amorphous.

At the lowest level, it could just be that they'll harvest all sorts of information and they won't know what to do with it. The worst-case scenario, as I've pointed out a couple of times, is that either we miss a terrorist or a national security threat because there's so much information there, or else that we make mistakes and share collected information and mined data abroad and create a disaster for individual Canadians.

If I were rewriting this, I would just start again. It's a short bill, so you just start again. As I answered to Mr. Blaikie, you'd lay out those principles. You'd start with a very tight definition. I believe Mr. Erskine-Smith mentioned the section 2 definition in the CSIS Act; I think that's a good start, because if this is a national security information sharing bill, let's tie it to national threats to the security of Canada. That's the remit of CSIS, and that's a pretty broad definition in itself. That brings us to a nice tight definition, and then of course there's laying out the protocols and safety measures. I think that would do it. That would regularize and give us some coherence in national security information sharing.

As well, though it's not for a bill, a lot of work needs to go into making the agencies work together in a coherent way and into improving that review over time.

I believe Commissioner O'Connor mentioned in his report that given the threats out there in the geopolitics of the world, obviously Muslims are implicated. That's not the right word, but you know what I mean. They're possibly seen as threats or whatnot, and because Muslims are on the radar, that can lead to problems. Though the national security bills are drafted neutrally and nowhere say “Muslim” or “Arab”, that's the fight we have right now in the world with terrorism. In that context, likely a lot of national security resources are going to be focused on that. We can debate whether that's right or wrong, but that's what's going to happen, and inevitably, because the security agencies are going to be looking at those communities, there's a risk that the mistakes will impact those communities disproportionately.

Data, as you know, can be very significant, particularly metadata, which is a lot of what our service harvests these days, and a lot of agencies are trading in it. There's a big debate right now about its usefulness and its probativeness in criminal trials, for example, and whether it can be obtained without warrant. There's a whole big debate on this question, as you know.

From my perspective, it's all about content that's important for national security, so if you're sitting on a data point and you've satisfied yourself that it's necessary for the service to have it for their remit, then I think the act is engaged and the content can be passed.

From my perspective, it's about national security content, if I can put it that way, which would cover both data and information.

I concur with that. I agree that data per se, or data points—metadata and those sorts of things—can appear innocuous in some ways, but again it's the data mining. Because of the—

Exactly, and we certainly need to do that. I'm not suggesting in any way that our security agencies should not be doing that, because that's a useful way to identify threats and see patterns of criminality, but it's how we do it and how much information we're pulling.

You're an IT person. Humans still are the programmers, so whatever algorithms we design and run are not perfect, because humans are running that AI. We should be cognizant of the fact that those computer programs can make mistakes, and that's where I see the data.

I guess what you're asking is whether or not the standard should be more forgiving of sharing information—I'm using “information” to include data—or less forgiving of sharing. Again, it comes back to a question of balance.

From my perspective, if this is a national security piece of legislation, which I gather it is, we ought to marry up the definitions for the national security agency. They ought to be harmonized and rationalized to the service mandate. As for whether it should be based on necessity or relevancy, the service should only share it if it's necessary and should only use it if it's necessary. The service should have a necessity requirement built in. So too should the agencies that are sending information.

Right, but I think “necessary” is pretty wide.

Yes.

Fair point. It's probably different in degree rather than in kind. Mr. Kapoor, you can jump in.

I don't want to use the word “relevant”, because we're debating that, but it was information that was properly within the remit of those agencies. I have no problem with agencies keeping information properly relevant to the investigations and their work.

In the case of large-scale harvesting of information, such as checking passenger manifests from every flight against no-fly lists, presumably that does not need to be kept. We don't need the travel patterns of every Canadian. Arguably somebody could make a case that three years down the road we will see Joe Smith on our radar, and we'll want to check all of his travel patterns in the past. What I'm really concerned about is that we're getting into a pre-crime society. Now we're keeping data on everything that someone does against the possibility that Mr. Bratina may do something in the future, so we can check if in the past he's crossed the line.

I'm just using you as an example. You're the first person I saw.

Oh, oh!

I'm sorry.

That's my main concern there.

In today's world, it's going to be tough, especially with a lot of data, but I think we need to be very nuanced in how we strike that balance while respecting the law.

The key is going to be those thresholds. If we start to get the inputs right, then likely the information in the databases will be necessary to be held. If the net is so wide that we're pulling in anti-Saudi protestors, or whatever they are, or just anyone who is flying, and then later they show up on the radar possibly, and then all of that is pulled in to create a profile of them with metadata and travel patterns, that to me is worrying, because fundamentally in a democracy we don't do that. When Commissioner Paulson was talking about keeping email content on servers, one of the U of T researchers said, “Why don't we just have a camera in all of our homes because it could be useful someday?” I think that really hit the nail on the head.