Information & Ethics Committee on Feb. 2nd, 2017

If I could add one more point....

The need to know, determining who you actually want to share sensitive information with because of the risk to that information, is still a very real principle in the intelligence community.

At Transport Canada we do not collect information. We only use it. We use the information that we receive or request about specific individuals or organizations, or for other needs. It's very limited. We do not seek bulk data. Our mandate is very specific.

I think I would agree in general terms with that. I think that the legislation was passed in response to a perceived need for a framework to do exactly the kind of sharing that we had trouble with from time to time previously. By providing a framework for that sharing, it is a useful tool. It has not yet been much used, but the potential....

I think all of us have probably been in situations where we were in receipt of information that we thought might be useful to someone, but we weren't sure what our authorities were to actually pass it on. This provides, as I said earlier, a couple of simple tests so you don't have to move heaven and earth to actually figure out how you can make that determination.

Maybe I'll just add really quickly that it also provides an opportunity to provide better understanding, better consistency, and better discipline in terms of how that information is being shared across 17 departments, as opposed to the way that we've been doing it.

It's everything you mentioned.

We collect foreign signals intelligence from the global information infrastructure. The global information infrastructure can be the Internet. Traditionally, going back to after the First World War, it was radio waves. I, unfortunately, can't get into all of our capabilities in terms of what it is that we're collecting, but in simple terms, the things that you were highlighting, whether it be.... Telecommunications data, essentially, is covered.

It's very complicated. I'll give you the response in English that we usually provide.

We use the analysis of metadata, essentially. That, of course, is something that is very much a debate, and I think, for the most part, is misunderstood in terms of the need for metadata. Metadata information, particularly telecommunications metadata, allows us to be able to tailor our collection capabilities, to be able to understand and go after the information that we actually need.

First and foremost, what are our guidelines in terms of what we're looking for? The Government of Canada, cabinet, sets the intelligence priorities. Intelligence priorities are obviously classified, but it's not hard to understand. There is counterterrorism, for example, and when we're supporting military operations, we need to go after information pertaining to that.

The Internet, unfortunately, doesn't have a place where all terrorists go, so we need to understand, as all this information is intermingled on the global information infrastructure, how many pieces of information are being transmitted. We need to analyze metadata. Metadata can be an IP address or an email address, but it can also be when a signal passes from a cell tower to a server to somewhere else. It's through the analysis of metadata that we can then hone our activities and be surgical about what it is that we want to go after, because, as you can imagine, the Internet is incredibly vast. If you actually pause for a moment and try to understand what is actually happening on the global information infrastructure in a minute—how many YouTube videos are uploaded, how many people are tweeting, how many people are using Skype, or texting, or using social media and all of the things that are happening there—it is incredibly complex and incredibly vast. You need to be surgical if you're going to go after what it is that you're looking for.

Unfortunately, I'm limited in what it is I can say to describe exactly how we do what we do. That would be a gross overgeneralization of how we go about it. It is infinitely more complex than that.

What I can say, because it's been reported on by our commissioner in the last three years, is this. I'll use a private communication because that's something that's definitive in terms of what a private comm involving a Canadian is. One end is a Canadian. It's a communication that either originates or ends in Canada. That's a private communication.

When we come across a private communication, incidentally—and maybe I'll give you a quick example. I'm not trying to take up your time. If we're targeting bad guy X in country Y, we can't control what bad buy X in country Y is going to do. He might pick up the phone and call you. He decides to call you, and we're actually monitoring and collecting his information. When he does that, he might be calling you to share a recipe for soup, or he might be calling you to say, “Bombing the Parliament Building tomorrow is a go.” In the first example, if we come across a private communication and it has no relevance to international affairs, security, and defence, we delete it immediately. We mark that and we keep track of that marking, and our commissioner reviews and makes sure that we have deleted it and that there is no trace of it in our systems. In the second case, we keep it.

To your question in terms of volume, how many private comms did we keep over the course of a year? The first time that number was published was three years ago and that number was 66. Two years ago that number was 16, I believe, and last year that number was 340. You might be wondering if those are big numbers or small numbers.

As I was explaining to you earlier, just for yourself, for example, how many emails, phone calls, social media.... How many times do you actually use a private comm in a day? Multiply that by 365. Multiply that by the population in Canada, say 39 million, and you'll get an idea that there are billions and billions of private comms transmitting every single year. Of those billions and billions, the numbers in the last three years have been 66, 16, and 340 that we have kept for national security reasons. Hopefully, that gives you an idea of the volume.

Without touching on the specific cases you've cited, which I'm in no position to comment on in any case, there is always a tension in these issues in terms of what to share and what not to share. The intelligence business, fundamentally, gets some of the questions that others have asked earlier, particularly when you're dealing, as National Defence does, with all sources of information: signint, humint, imagery intelligence, etc. The issue of which source of information will give you the best of what you're looking for, and which is most credible and reliable in order to do what you think you need to do, operationally, is the constant struggle. Shifting through the volume of information, finding the pieces that are credible and reliable that pertain to the operation in which you are currently engaged is a huge amount of work.

There have been many cases, you cite, where not sufficient information was shared, be it because it wasn't found in time or because we were concerned about whether or not we could share it legitimately. There have been cases where information that unfortunately was not credible or reliable was shared and led to mistakes being made, operationally, of one kind or another.

Mistakes will continue to be made in this business. It's a difficult business, but having a clear framework within which you can make decisions around sharing is a benefit to the system.

I think SCISA is too new and too untested at the moment to determine whether or not it strikes the right balance. We may find as time goes by, if we keep the current formulation of the act, which is a decision for government and for Parliament, that there are tweaks that need to be made to shift the balance in one direction or another. At the moment, it strikes me that it is a much better tool than we had without it.

As some of my colleagues have said, we have powers to share already. What SCISA does is clarify the rules and provide a framework in which you can do the sharing and track it, which was not the case previously.