Evidence of meeting #22 for Citizenship and Immigration in the 41st Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was information.
A recording is available from Parliament.
4:25 p.m.
Conservative
4:25 p.m.
NDP
Rathika Sitsabaiesan NDP Scarborough—Rouge River, ON
Thank you, Mr. Chair.
Considering the agents who are making these decisions with respect to visa decisions and inadmissibility of people, what types of training do our agents go through, the border agents or the people who are making these security decisions? I'm not saying give me the full seven-year detail of the training they go through, but could you elaborate a little bit on the type of training the agents here and abroad go through, please?
4:25 p.m.
Director General, Intelligence and Targeting Operations, Canada Border Services Agency
The members of the national security screening division, who I referred to before, those 60 people—
4:25 p.m.
Director General, Intelligence and Targeting Operations, Canada Border Services Agency
There's a training package that is being developed specifically for their duties. It has been upgraded recently, and we're taking a close second look at it in the wake of the OAG report.
4:25 p.m.
Director General, Intelligence and Targeting Operations, Canada Border Services Agency
As to overseas, the overseas officers you're referring to I think would be CIC employees. We're talking about visa officers. We wouldn't be able to comment on their training.
4:25 p.m.
NDP
4:25 p.m.
Director General, Intelligence and Targeting Operations, Canada Border Services Agency
Oh, okay. Our liaison officers overseas tend to come within the agency from intelligence or criminal investigations backgrounds predominantly, not exclusively. So they start off with a certain amount of training, and they receive quite an extensive training course before they are posted overseas. Off the top of my head, I can't remember whether it's four weeks or six weeks.
4:25 p.m.
NDP
Rathika Sitsabaiesan NDP Scarborough—Rouge River, ON
You said that a training package is being developed for that...I'm going to call it a task force.
4:25 p.m.
Director General, Intelligence and Targeting Operations, Canada Border Services Agency
It's the national security screening division.
4:25 p.m.
NDP
4:25 p.m.
Director General, Intelligence and Targeting Operations, Canada Border Services Agency
The package is in place already. It's delivered to all our employees when they join the division, but we are looking at enhancing it, as it was one of the recommendations of the OAG report.
4:25 p.m.
NDP
Rathika Sitsabaiesan NDP Scarborough—Rouge River, ON
By the AG, okay. Thank you.
Do I still have time?
4:25 p.m.
NDP
Rathika Sitsabaiesan NDP Scarborough—Rouge River, ON
We have a minute.
How accurate are biometrics for identification? Are there cases where it may not be accurate and you get the wrong people?
4:25 p.m.
Assistant Commissioner, Federal and International Operations, Royal Canadian Mounted Police
Sorry. That's certainly out of my area of expertise. I'm not certain. I wouldn't know the answer. I apologize.
4:25 p.m.
NDP
Rathika Sitsabaiesan NDP Scarborough—Rouge River, ON
Do you often exchange this type of information with our international partners—biometrics data that we collect?
4:30 p.m.
Executive Director General, Security Screening Branch, Canadian Security Intelligence Service
The service isn't involved in the exchange of biometric evidence. It's primarily between law enforcement and our partners at the service.
4:30 p.m.
Conservative
The Chair Conservative David Tilson
Thank you.
I'm sorry I've rushed you, but we have rules.
I want to thank the four of you for coming. You've been very helpful to the committee. Thanks very much.
We will suspend.
4:33 p.m.
Conservative
The Chair Conservative David Tilson
We'll now proceed with the second part of our meeting today. We have two witnesses. The first is the Office of the Auditor General of Canada. We have Ms. Wendy Loschiuk, the assistant auditor general. We also have Gordon Stock, who's a principal, and Suzanne Therrien, who's a principal.
We have the Office of the Privacy Commissioner of Canada. Commissioner Stoddart, it's a pleasure to see you. I haven't seen you since my days on the ethics committee.
We have Andrew Patrick, who is the information technology research analyst. Good afternoon to you.
Finally, we have Lindsay Scotton, who is the manager of privacy impact.... This is a long title. I'm not going to read it; it's too long. You should have Ms. Stoddart shorten it down.
Each group will have up to eight minutes to speak.
Ms. Loschiuk, thank you for coming.
4:33 p.m.
Wendy Loschiuk Assistant Auditor General, Office of the Auditor General of Canada
Thank you, Mr. Chair, for this opportunity to appear before the committee as you begin discussions on the security of Canada's immigration system.
In chapter 2 of our most recent report in the fall of 2011, we looked at the processes followed and the information made available when checking to determine if a person applying for a visa is admissible to Canada. Joining me today is Suzanne Therrien, who was the principal responsible for this audit.
We've also examined the detention and removal of individuals from Canada and reported those findings in chapter 7 of the May 2008 report. Joining me as well is Gordon Stock, who was the principal responsible for that audit.
Mr. Chair, when persons are being admitted into Canada, the health, safety and security of Canadians remain paramount. This is made clear in the Immigration and Refugee Protection Act, which sets out the rules for determining whether visa applicants are admissible, and provides the authority to detain and remove those who are not.
There may already be people in Canada who are in breach of the act and are therefore here illegally. In such cases, a removal order may be issued. In 2008, we saw that the Canada Border Services Agency had made improvements to focus on removing higher-risk individuals, but resources were limited.
Our 2008 chapter had several key messages that I would like to go over. First, although the Canada Border Services Agency had adopted better techniques to track persons who had been ordered removed from the country, the growing number of persons in Canada illegally was jeopardizing the integrity of the immigration system. In addition, the whereabouts of some of these persons was unknown.
We also found that more work was needed to ensure that persons who were detained but released on bond complied with the conditions of their release. There was little information available on the costs of detaining and removing persons or on whether policies and standards for detention were applied fairly.
Finally, the Canada Border Services Agency and Citizenship and Immigration Canada needed to focus on better coordinating their efforts.
We recommended that the department and the agency implement processes to improve the quality assurance of their joint program dealing with temporary resident permits. We also recommended that they ensure that all individuals are treated in a consistent manner and that data capture and analysis be improved to better monitor detention and removals.
In our 2011 audit on issuing visas, we saw that visa officers overseas had a very challenging job. However, they are well-supported—with good training before going overseas and, once there, a network that they can access for advice. Visa officers told us they use this network often.
However we found that there are some gaps in the process for managing risks and getting assurance that the system is working as intended. Of course, it isn't realistic to expect the system to be perfect. Nevertheless, we find that it is important to have information on how well the system is working so that gaps can be identified and appropriate remedial action taken. In our opinion, these gaps can be narrowed by improving quality assurance practices and by monitoring performance.
Specifically, we noted the following. First, in order to properly identify persons not admissible to Canada, visa officers need to know what to look for. However, the tools they use to help them do this were not being reviewed regularly to ensure they were up to date. Even though medical professionals were reviewing the health documentation from applicants, it remains difficult to assess danger to public health or public safety or to assess excessive demand.
Second, timely and reliable information is not always available when assessing admissibility. Information on visa applicants mostly comes from the applicants themselves, which is to be expected. It can be difficult to validate this information, and therefore any help from security partners is valuable. However, there may be little helpful information available from security partners, and a security screening for a permanent resident visa can take more than three years.
Third, quality assurance practices—in other words, checks to make sure the system is working—need to be strengthened for the admissibility determination process. We found that there are reviews and good documentation in cases where an applicant is found inadmissible. But those cases make up a small portion of the volume of visa requests. Most people coming to Canada may not pose a risk. But in a system that is there to help protect Canadians, in our opinion, it is just as important to review the decisions to grant visas as it is to review the decisions to deny them.
Both Citizenship and Immigration Canada and the Canada Border Services Agency have been working to make their practices better. Some progress has been made since 2000, when we first noted a lack of quality assurance in the system. The two entities have drafted a new memorandum of understanding and, at the time of the audit, were developing a joint risk management approach.
Finally, an area that could still benefit from improvement is measuring performance by developing performance indicators. Despite attempts to develop a joint framework on performance measurement, there has been little progress. The challenge has been getting good information to measure performance and demonstrate how effective the admissibility determination process has been. Both the department and the agency have agreed to focus on performance measurement as part of a current review.
We also noted that the two entities have prepared action plans to address our recommendations and have been working toward firm timelines.
Mr. Chair, this concludes my opening statement.
We'd be happy to answer any questions.
Thank you.
4:40 p.m.
Jennifer Stoddart Privacy Commissioner, Office of the Privacy Commissioner of Canada
Good afternoon, Mr. Chair.
Thank you for inviting me.
This is a technically complex area, and that is why I've asked two experienced officials from my office to accompany me today.
Dr. Andrew Patrick has studied and written extensively on the issue of identity management, verification, and the use of biometrics. He also represents my organization in matters of privacy oversight at Interpol.
Also with me today is Lindsay Scotton, who has been managing the review of privacy impact assessments of federal government programs in my office for nearly a decade.
As the honourable members of the committee probably know, the Privacy Act imposes obligations each time the federal government gathers personal information. Among those obligations, the federal organizations are supposed to establish certain protection measures, limit the use of information for secondary purposes and establish the list of their databases publicly, regardless of the citizenship of those affected.
In addition, in the case of legislative or regulatory amendments to the immigration system, I expect the relevant institution to provide us with detailed assessments of private life factors.
This is why it's particularly important to strike the right balance between a necessary scrutiny to weed out the bad apples and a commitment to uphold our democratic rights and freedoms, including the right to privacy, when we process information on individuals who will be visiting our country or who are on their way to becoming Canadian citizens.
I will now ask Dr. Patrick to discuss some of the key technologies involved and their privacy implications.
4:40 p.m.
Dr. Andrew Patrick Information Technology Research Analyst, Office of the Privacy Commissioner of Canada
Great. Thanks again for inviting us.
I want to talk about technology, so I've surrounded myself with some technology. I have some slides to illustrate some of the concepts as we go along.
First, I want to make it clear that I love technology. I live it and work with it all the time, but my job is to understand both the strengths and weaknesses of technology—and that's what I want to talk to you about today—and to understand what technology can do and what it can't do, with a particular focus on biometrics today.
When talking about immigration and immigration safety, the key issue is identity. Who is this person entering our country? What have they done in the past, and are they admissible? Is this person who's now at my border the same person I gave a visa to perhaps months before in some foreign mission? Did that other visitor leave the country when they said they would?
Establishing identity is hard, and it's particularly hard when some people try to deceive. Technology has an important role in establishing identity and addressing this hard problem, but technology is not a panacea. An increasing reliance on technology often implies increasing privacy risks, and that leaves us concerned.
We have a profound ability now to collect vast amounts of information. For identity programs, such as immigration, this means developing large databases that contain sensitive, valuable personal information. Large databases have proven to be very powerful, but also to be a source of serious privacy risks, including security breaches, misuse of information, function creep, and data errors. Unfortunately, our ability to develop or purchase technology is often ahead of our policies, our procedures, and our ability to manage these systems.
Let's turn to biometrics. Biometrics involves measuring characteristics of the body, either physical or behavioural, in order to aid identification and verification of people. Some popular characteristics that are used in biometric systems are the face, the eye, the fingerprint, and so on.
Biometrics are a powerful tool to help solve the identity problem, but if you allow me to quote from two great philosophers, Voltaire, and Stan Lee, the creator of Spider-Man, with great power comes great responsibility.
The way biometric systems work is to compare two samples; one sample that was collected usually earlier in time, at a time of enrollment, and a second sample that's then compared against the enrollment sample when a service is being used. Biometrics are only useful when you have two viable samples to compare against each other. The value of a biometrics system is completely dependent on the integrity of that enrollment process, the time you create the first sample.
If an enrollment procedure is weak, perhaps relying on weak foundation documents that you can't trust, then they don't really help to solve the identity problem. You still need good biographical information, and you still need good intelligence about people, their history, and their intent. Using biometrics with a weak enrollment system would increase the security and privacy risks without providing any real benefits.
When considering biometrics, it is important to distinguish between identification and verification. Identification refers to the task of finding out who someone is out of the entire population of who they might be, and this often involves large databases, perhaps involving millions of records to be compared against. Verification, on the other hand, is a much simpler task of figuring out if this is the one person that this person claims to be. Verification involves comparing two biometric samples instead of millions. Verification is an easier task than identification, and it does not necessarily have to have large databases.
It's also important to realize that biometric systems are not perfect. There can be failures. There can be failures to capture samples, for example, which might be caused by bad lighting for a photographic system or worn fingerprints. There can be false matches and false non-matches.
The total failure rate of a biometric system is also related to its scale, that is, the number of people in a database that you're comparing it against. As databases grow and more and more databases are searched, the chances of making wrong decisions increase.
Let's turn to the temporary resident visa program, which is a program that I know you've been considering. CIC will be introducing biometrics into this program, collecting both fingerprints and face photos.
The real value of the program comes in verification, in verifying the applicant when they arrive at the border. The biometric sample that's collected in enrollment when the visa is granted can be compared at the border with the person who presents themselves. This is a good use of biometrics, in my opinion, but its value is limited to verifying if this one person is the person who was given the visa a while ago.
We have had extensive consultations with CIC about the temporary resident visa program. We have raised some privacy concerns about safe collection, storage, and transmission of sensitive personal information, including biometrics. We have also been discussing the role of private sector companies in the visa application process.
Another issue related to visas is the tracking of visitors while they are here in the country. Biometric samples could be used to compare a sample collected at arrival with a sample collected at departure to determine who has left and who has not. This is a difficult task. There are multiple means by which someone can enter and leave a country, and being able to compare those samples can be difficult. There will likely be privacy issues if third parties are involved in collecting the information at entrance.