Good morning, Mr. Chairman and members of the committee. My name is Eric Jacksch, and I'm pleased to be here to discuss Bill C-21.
By way of background, I have a B.A. in sociology-criminology and started my career working as a correctional officer and probation and parole officer for the Province of Ontario. I've also had the great privilege of serving in the Canadian Forces Reserve, both the infantry and intelligence branches. My interest in high-tech, combined with a part-time software development business, drew me to Ottawa during the tech boom in the mid-nineties, and I quickly specialized in what we now call cybersecurity.
I have more than 20 years experience in information security, as well as a background in physical security. I am board-certified in security management by ASIS International, and hold their certified protection professional, or CPP designation. I also hold the certified information security manager designation from ISACA, previously known as the Information Systems Audit and Control Association, and the certified information systems security professional or CISSP designation from the international information system security certification consortium, also known as (ISC)2.
So far in my career, I've had the pleasure of providing security services to a variety of federal, provincial, and municipal governments, as well as some of the world's largest banks, automakers, insurance companies, and postal organizations. Consulting engagements have taken me across Canada and the United States, and to the U.K., Switzerland, Spain, Netherlands, Japan, and Singapore. I have taught courses, spoken at conferences, and written numerous articles.
Perhaps most relevant to these proceedings, I have performed risk and privacy assessments for Canadian federal government departments, as well as provincial and private sector organizations required to meet Government of Canada security requirements.
A significant challenge in cybersecurity is education and awareness. In addition to running securityshelf.com, a security news aggregation site, I write a column for IT in Canada. That first put the issues underlying Bill C-21 on my radar.
Back in March 2016, just after Prime Minister Trudeau's visit to Washington, I read articles in the media suggesting that Canada was gearing up to start sharing more personal information with the United States. I thought it would make an interesting article for my column, so I did some research.
As it turned out, the media coverage was mostly hype. However, it did make for an interesting article entitled, “No, the sky is not falling”. You're welcome to visit canadait.com to read that and more of my articles.
I'm sure you've all been briefed on the history, but in summary, as I understand it, in December 2011, then prime minister Steven Harper and president Barack Obama released the beyond the border action plan for perimeter security and economic competitiveness. As part of the plan, Canada and the United States committed to establishing a coordinated entry and exit information system that includes sharing information so that the record of a land entry into one country can be used to establish an exit record from the other.
According to the CBSA, phase one ran from September 2012 to January 2013, during which time:
...both countries tested their capacity to exchange and reconcile biographic entry information of third-country nationals (non-U.S. or Canadian citizens), permanent residents of Canada who are not U.S. citizens and lawful permanent residents of the U.S. who are not Canadian citizens [having crossed] at four land ports of entry in British Columbia/Washington State and Ontario/New York.
In June 2013, phase two expanded the program to cover all common land border ports of entry with the processing capacity to capture traveller passage as an electronic record. During this phase, information was not shared “on Canadian [or U.S.] citizens, Registered Indians, or protected persons.”
What we are essentially talking about today is the next phase of the entry-exit initiative, and expanding information sharing to all travellers at land border crossings. It's understandable that Canadians are concerned about the prospect of Canada and the United States sharing personal information. From a security perspective, I see three areas of potential concern.
First, there's the actual implementation of information sharing between CBSA and U.S. Customs and Border Protection. To understand that impact, we need to consider what's being shared. I'll quote the privacy impact assessment summary for phase two, published by the CBSA:
At entry, each country presently collects the following data elements as agreed to for the Phase II exchange: Name (first, middle, last), Date of Birth, Nationality/Citizenship, Gender, Document information (type, number and country of issuance); these elements were demonstrated to be effective in reconciling entry and exit information in Phase I. The only data to be exchanged, which are not already known to the receiving country, will be the date of entry, time of entry and the port through which the individual has entered.
Assuming that information sharing is constrained to this set of biographical data, which I also see reflected in Bill C-21., the exchange of information between CBSA and the U.S. CBP has no practical impact on honest, law-abiding travellers.
The second area is how this information is protected in transit and rest. Canada has proven methodologies to assess cybersecurity risk, and specific guidance on the security controls required to effectively protect this type of information is readily available. Assuming that the cybersecurity aspects of this data sharing are taken seriously, there is minimal risk to Canadians.
The third and perhaps most difficult area is ensuring that information is used only for the intended purposes. When any entity, public or private, has information, there's always a temptation to find new uses for it. Abuse of information by individuals is a problem. Informal information sharing between organizations can give rise to serious security and privacy concerns.
I understand that the Privacy Commissioner has already been involved, and I hope that continues. I also applaud CBSA for publishing a summary of their privacy impact assessment online. As legislators, I urge you to ensure that appropriate privacy controls are in place and to make it clear to Canadians how and under what circumstances this entry and exit information may be shared outside of CBSA.
Section 6 of the charter guarantees every citizen the right to enter, remain in, and leave Canada, but it doesn't say that they can do so anonymously. Canada already tracks entry and exit information for air travellers, and from a security perspective, expanding it to land border crossings makes good sense. I don't foresee any significant security obstacles in the proposed approach.
Thank you for the opportunity to speak on this topic. I welcome your questions.