Information & Ethics Committee on Dec. 6th, 2016

In the case of the U.K., not a lot is known about the internal ministry arrangements. Much of it gets done at the ministerial level. There is some control of information by various administrative bodies, and certainly the independent reviewer in the U.K. reviews the extent of information-sharing.

In Australia and New Zealand they have information-sharing arrangements between, for example, federal and state police and ASIO in the Australian environment. Information does, then, get to be shared.

From a comparative law perspective, whether their particular tests for sharing information comply with ours or not, I couldn't tell you offhand. I can find out, as could one of your clerks, I suppose, but my view would be that the test of relevancy is too low in our statute. The test should be that it be necessary, as Daniel Therrien mentioned in his evidence.

I want to round out by responding to something that some of the service witnesses said on this question, and that I think Scott Doran from the RCMP said as well: that there's the sense that no one is going to know in some other agency what CSIS's mandate is, so how do I know whether it's “necessary” for CSIS? How am I going to divine that?

If you look at their testimony, you will also see that they talked about these agencies' having sectors or groups within the agency for whom there's going to be training on how to comply with the statute. Well, if there's going to be training on how to comply with the statute, you can train them to understand what “necessary” means for CSIS. It's not rocket science. CSIS does it; they deploy it. Somebody sitting in Health Canada, then, or one of the other agencies—CRA, let's say—can learn what the mandate is and can apply it. It's not as if it's mysterious; it's just a matter of training.

I'm sorry; I think I took too long.

Very briefly, then, and I'll let my colleague pick it up, the concern here is that you have two ends. You have the relevancy test for passing information over, and it's information relevant to activities that undermine the security of Canada, meaning the sovereignty, security, or territorial integrity of Canada. I sense that it's an incredibly broad definition, and the examples that are given are simply illustrative; they're not closed sets. Even if they were closed sets, even within them they're pretty broad, so you have broadness on both ends of this equation.

The concern I have with robust information sharing along these lines is that there's no real control for false positives. I appreciate that when it gets to the service—let's take the service as an example—they will apply their analytics and will ask whether this person is really engaged in something that undermines the sovereignty of Canada, whatever that means, and whether they'll take any national security action against the person.

However, it's rather like this: once they're on you, they're on you, and they just don't let go. It sits in the database, and there are no real retention issues spoken about here in this legislation. There are, at the service; they have their own retention standards, but what I'm concerned about is that the agency that sends information on, the transmitting agency, doesn't really turn itself to false positives. The “necessary” test would impose some rigour that at least has the prospect of doing so more efficiently than a relevancy test would.

Part of the training for those folks who are in the transmitting agencies is to really have some understanding of national security and to appreciate the ease with which there can be false positives. If you're alive to that possibility, then you'll be vetting for it, and the risk is diminished on the false positive side.

That's what my concern is.

Yes.

I think it ought to happen at the transmitting agency side, and it will happen anyway at the surface.

They will vet and employ analytics in any case, but in order to maintain protection for privacy rights, it ought to happen at the transmitting agency as well.

I concur with my colleague's comments. How do we find reliable information? That's what ought to be shared. That reduces the hay pile, for one, so we can get at the needles. The other piece is that then we avoid mistakes.

I'll give you some hypotheticals. Let's look at the definition, as Anil's pointed out. The real risk is that we've cast the net so wide when it was styled as “terrorism”. Terrorism is item (d) here. That's not even a Criminal Code offence, so that's something that needs fixing. Let's assume that's one piece, and we can agree with that. Nuclear proliferation and all of those are fine. Those are national security issues. However, then it's so broad that it's open-ended. Who hits the national security radar? If you see my submission, that little chart shows whole-of-government information sharing, so all these disparate decision points across government are making a low-threshold test to put information into this bucket. Someone may say, “Well, I have nothing to hide”, but in today's world, with data management....

Let's use my Saudi example. You're involved in trying to get Raif Badawi out of that hellhole in Saudi Arabia and you go to protests. The Saudis' intelligence says, “Some of these people are causing trouble for us.” Obviously they have a very low threshold of what's undermining their state security.

These countries usually see everyone as a terrorist. You or I are going to a protest, starting a petition against Saudi Arabia, boycotting Saudi oil or something, and we get picked up on their radar, so now we're in this bucket of data. It isn't just that piece of information, but it's the data crunching now as well, because it's whole of government. Now somebody might say, “Well, you know what? I've flagged someone of some suspicion at that low threshold, so let's see what else. Let's see what FINTRAC has on this person.” Those points are then put together and may create a false positive suspicion, so it's not clear, but there's a lot of data mining and data crunching going on through analytics.

Then we may share. This is the Arar-type situation. We may then say, “Here's the Saudi threat profile of protesters in Canada, and let's share it with the United States or with Saudi Arabia.” Then, after the fact, we may say, “Well, this was a mistake.” In our case, the agency may say, “Well, Ziyaad's cleared; expunge him from our CSIS database.” First of all, you're now in a bunch of other Canadian databases, so who's controlling that? The rules on retention and expunging are not clear. They're not even not clear; they're not there.

Then the other piece is, who's reeling back the information? In today's world, you see what a tweet does. You can't reel back a tweet, and this is much worse than a tweet. The worst thing would be if your name shows up and you're flagged and you go somewhere. Arar showed up in the U.S., and he was sent to Syria. Many Muslim Canadians travel to Saudi Arabia for a religious ritual, but if you now show up and land in Saudi, everything's integrated. Your passport's scanned and you're red-flagged there, and there's a real risk you won't just be sent back: you're going to be kept there, and that's worse than being sent back.

Those are the types of risks with data mining and harvesting all sorts of information under this very broad definition. What does “undermining the financial stability of Canada” mean? We make the debate about people who are involved in activities that criticize Canada's policies or whatever, and that's fine. We should have that debate. My worry is that this definition is going to put all sorts of innocent Canadians onto the national security radar when they should not be.

Yes.

That's a tough nut to crack, because I'm not an IT guy. I'm an Indian guy, but I'm not an IT guy; I'm probably one of the only Indian guys who doesn't know anything about computers.

Oh, oh!

Generally speaking, in intelligence matters there is an implicit caveat. When the service passes intelligence—let's say, to MI6 or MI5—there is an implicit caveat that it remains the property of the service and will not be passed on.