Public Safety Committee on Oct. 5th, 2017

Thank you to the committee for allowing the Canadian Civil Liberties Association the opportunity to appear before you today and speak on Bill C-21.

I'm going to focus on three topics: first, the need to for appropriate frameworks including explicit privacy protection for information sharing that happens between the CBP and the CBSA; second, the need to ensure that critical details about how the collection of this information will take place receives public attention and parliamentary debate rather than relying excessively on regulations; and third, the need to increase CBSA accountability commensurately with this significant increase in their powers.

The information that Canada will collect and share with the United States after Bill C-21 is passed includes biographical information as well as the date, time, and place of entry or exit for every traveller crossing the Canadian border, including Canadian citizens.

This is information on literally millions of Canadians. StatsCan suggests that in January 2017 alone Canadians made 3.6 million trips to the U.S. It also allows for information about every person who boards a plane, train, bus, or ship—if those conveyances are prescribed, because that prescription is left to regulation—in Canada to be collected and shared.

When the beyond the border agreement was signed, CCLA along with the ACLU in the United States and Privacy International in the U.K. developed and released a series of core legal principles for sharing the U.S.-Canada security perimeter. In respect of information sharing, we recommended that it should be restricted to the particular purpose—not used, disseminated, or stored for secondary uses. It needs to be subject to rules limiting the duration of retention to reasonable periods, and it should be subject to independent oversight review and accountability procedures. In particular, when the laws of the two countries differ, the highest standard that grants the best protections to individuals should prevail.

As an example of the problems introduced by different privacy standards, we're concerned that at the time this bill was originally discussed in 2014 one source suggested that Canada had decided to limit the time they could retain personally identifiable information to 15 years. The U.S. has said they reserve the right to retain it for 75 years or longer. Even 15 years is a long time, and it's worth considering whether or not that's the right time frame. It is highly questionable that Canada could maintain control over the uses of information through a memorandum of agreement with the U.S. for as long as a lifetime .

We believe the responsibility for taking such principles seriously should be explicit in the legislation. In addition to the current amendments to Bill C-21, we would suggest including an amendment to add a preamble similar to that found in the recent national security legislation, Bill C-59, and similar to that found in section 3 of the Immigration and Refugee Protection Act, which is another act that CBSA administers. Both of these pieces of legislation explicitly identify the responsibility of customs enforcement officers to carry out their responsibilities in a manner that safeguards the rights and freedoms of Canadians and that respects the Charter of Rights and Freedoms. One might argue that it's incumbent on them to do so whether or not that clause is inserted in the legislation, but we would argue that there is both practical and symbolic value in including it in the Customs Act at this time.

On a pragmatic level, one way to ensure that privacy protections are in place is to conduct privacy impact assessments. Clearly, for a project of this scope, which is going to collect information on millions of Canadians, these assessments should be undertaken before information is collected under this legislation and ideally in time to inform the regulations. The assessments should be reviewed by the Privacy Commissioner of Canada, and an executive summary should be publicly reported.

We realize that Bill C-21 is enabling legislation and will continue a process that has already begun. In fact, there were privacy impact assessments for the pilot stages of this project before Canadian information was collected, but these assessments need to be updated in light of the expanded collection.

CBSA also committed to conducting an analysis on all uses of personal information by all parties involved in the sharing of biographic entry data, and while that analysis to my knowledge is not publicly available, I would suggest that, as an important precautionary step before expanding the scope, the committee might wish to see if that analysis actually took place, and figure out how it's working now before we expand it.

I'd also just like to flag that in 2015, in his spring report, the Auditor General expressed concerns that the CBSA's project management framework was not conducting risk assessments at appropriate times. That would be another area where the committee might want to make sure the technological infrastructures as well as the policy infrastructures around this information are appropriately secure.

In relation to regulations, clause 2 of Bill C-21 amends the act so that proposed subsection 92(1) will allow the CBSA to collect information from prescribed sources in the prescribed circumstances, within the prescribed time, and in the prescribed manner, and then allow the Governor in Council to make regulations to fill in those blanks. The problem is that leaving so much to be prescribed means a process that is less public, less transparent, and less accountable.

In simpler terms, who we are going to collect the information from, why, when, and how is not clearly specified anywhere in the legislation, but these aren't inconsequential details. Knowing them would allow us to evaluate the nature of the collection process, weigh the potential risks to privacy, and better understand the potential costs of a leak or breach. Knowing the source of information allows us to judge its integrity. Knowing why and how it can be collected allows us to assess the proportionality of the collection in relation to its purpose. Clichés sometimes ring true: the devil is in the details.

While we appreciate the need to keep the legislation technologically neutral and flexible, flexible should not mean completely open-ended, particularly because regulations can be changed quietly, largely out of public view, with a much less democratic process than the one we're engaging in today. What current drafters intend to include in the regulations may not be what subsequent governments would choose.

We are, at this time, witness to a dramatic change in policy direction in one of our neighbours. We should take that lesson to heart. When we're talking about practices that engage charter-protected rights to privacy and mobility, safeguards should be enshrined in law. To this end we recommend the committee consider what aspects of the collection process could and should reasonably be included in the legislation.

Lastly, this bill expands CBSA powers but does not increase accountability. CBSA is still the only federal agency with security and law enforcement powers that doesn't have comprehensive, independent oversight or review of its actions. We argue that it's unwise to continue expanding their powers without increasing that accountability framework.

CBSA will now be allowed to share information for the purposes of enforcing the Employment Insurance Act and the Old Age Security Act. If mistakes are made, that could have highly detrimental effects on individuals. There should be a possibility for individuals to appeal the accuracy of the information to an independent body.

CBSA's role in controlling the exit of goods and people from Canada is expanding. The bill creates a new requirement for people exiting Canada now to answer the questions of a CBSA officer truthfully. Answering falsely is an offence. This is a broad power. There is no question that people should have to respond truthfully to a CBSA officer, but I'm sure we've all seen recent stories about agents on both sides of the border asking questions that people are alleging relate to racial background, religious beliefs, and political opinions. Potentially allowing some form of this intrusive and problematic questioning on exit as well as entry doubles the opportunity for potential abuses of power.

While creating an independent review body for the CBSA is clearly beyond the scope of this bill, allowing a potential escalation of a non-problem while simultaneously failing to provide a recourse to an independent civilian body to receive complaints, review policies or officer conduct, or investigate potential misconduct is simply wrong. Every time the CBSA's powers are increased, the lack of an independent review body to provide additional and necessary safeguards becomes more problematic.

Thank you for the opportunity to provide these comments. I look forward to your questions.

Good morning, Mr. Chairman and members of the committee. My name is Eric Jacksch, and I'm pleased to be here to discuss Bill C-21.

By way of background, I have a B.A. in sociology-criminology and started my career working as a correctional officer and probation and parole officer for the Province of Ontario. I've also had the great privilege of serving in the Canadian Forces Reserve, both the infantry and intelligence branches. My interest in high-tech, combined with a part-time software development business, drew me to Ottawa during the tech boom in the mid-nineties, and I quickly specialized in what we now call cybersecurity.

I have more than 20 years experience in information security, as well as a background in physical security. I am board-certified in security management by ASIS International, and hold their certified protection professional, or CPP designation. I also hold the certified information security manager designation from ISACA, previously known as the Information Systems Audit and Control Association, and the certified information systems security professional or CISSP designation from the international information system security certification consortium, also known as (ISC)².

So far in my career, I've had the pleasure of providing security services to a variety of federal, provincial, and municipal governments, as well as some of the world's largest banks, automakers, insurance companies, and postal organizations. Consulting engagements have taken me across Canada and the United States, and to the U.K., Switzerland, Spain, Netherlands, Japan, and Singapore. I have taught courses, spoken at conferences, and written numerous articles.

Perhaps most relevant to these proceedings, I have performed risk and privacy assessments for Canadian federal government departments, as well as provincial and private sector organizations required to meet Government of Canada security requirements.

A significant challenge in cybersecurity is education and awareness. In addition to running securityshelf.com, a security news aggregation site, I write a column for IT in Canada. That first put the issues underlying Bill C-21 on my radar.

Back in March 2016, just after Prime Minister Trudeau's visit to Washington, I read articles in the media suggesting that Canada was gearing up to start sharing more personal information with the United States. I thought it would make an interesting article for my column, so I did some research.

As it turned out, the media coverage was mostly hype. However, it did make for an interesting article entitled, “No, the sky is not falling”. You're welcome to visit canadait.com to read that and more of my articles.

I'm sure you've all been briefed on the history, but in summary, as I understand it, in December 2011, then prime minister Steven Harper and president Barack Obama released the beyond the border action plan for perimeter security and economic competitiveness. As part of the plan, Canada and the United States committed to establishing a coordinated entry and exit information system that includes sharing information so that the record of a land entry into one country can be used to establish an exit record from the other.

According to the CBSA, phase one ran from September 2012 to January 2013, during which time:

...both countries tested their capacity to exchange and reconcile biographic entry information of third-country nationals (non-U.S. or Canadian citizens), permanent residents of Canada who are not U.S. citizens and lawful permanent residents of the U.S. who are not Canadian citizens [having crossed] at four land ports of entry in British Columbia/Washington State and Ontario/New York.

In June 2013, phase two expanded the program to cover all common land border ports of entry with the processing capacity to capture traveller passage as an electronic record. During this phase, information was not shared “on Canadian [or U.S.] citizens, Registered Indians, or protected persons.”

What we are essentially talking about today is the next phase of the entry-exit initiative, and expanding information sharing to all travellers at land border crossings. It's understandable that Canadians are concerned about the prospect of Canada and the United States sharing personal information. From a security perspective, I see three areas of potential concern.

First, there's the actual implementation of information sharing between CBSA and U.S. Customs and Border Protection. To understand that impact, we need to consider what's being shared. I'll quote the privacy impact assessment summary for phase two, published by the CBSA:

At entry, each country presently collects the following data elements as agreed to for the Phase II exchange: Name (first, middle, last), Date of Birth, Nationality/Citizenship, Gender, Document information (type, number and country of issuance); these elements were demonstrated to be effective in reconciling entry and exit information in Phase I. The only data to be exchanged, which are not already known to the receiving country, will be the date of entry, time of entry and the port through which the individual has entered.

Assuming that information sharing is constrained to this set of biographical data, which I also see reflected in Bill C-21., the exchange of information between CBSA and the U.S. CBP has no practical impact on honest, law-abiding travellers.

The second area is how this information is protected in transit and rest. Canada has proven methodologies to assess cybersecurity risk, and specific guidance on the security controls required to effectively protect this type of information is readily available. Assuming that the cybersecurity aspects of this data sharing are taken seriously, there is minimal risk to Canadians.

The third and perhaps most difficult area is ensuring that information is used only for the intended purposes. When any entity, public or private, has information, there's always a temptation to find new uses for it. Abuse of information by individuals is a problem. Informal information sharing between organizations can give rise to serious security and privacy concerns.

I understand that the Privacy Commissioner has already been involved, and I hope that continues. I also applaud CBSA for publishing a summary of their privacy impact assessment online. As legislators, I urge you to ensure that appropriate privacy controls are in place and to make it clear to Canadians how and under what circumstances this entry and exit information may be shared outside of CBSA.

Section 6 of the charter guarantees every citizen the right to enter, remain in, and leave Canada, but it doesn't say that they can do so anonymously. Canada already tracks entry and exit information for air travellers, and from a security perspective, expanding it to land border crossings makes good sense. I don't foresee any significant security obstacles in the proposed approach.

Thank you for the opportunity to speak on this topic. I welcome your questions.

I've read the executive summary available on the website, which is the only version available to the public.

This is a process that has already begun, the process of collecting exit and entry data. As my fellow presenter mentioned, there was a phase one and a phase two, during which information was collected, just not from Canadian citizens or U.S. citizens. It was collected from third-party nationals and other groups of people. At that time, impact assessments were done for that collection.

My argument is that, while they're expanding the scope of the information collection, they should be looking to make sure that there are no additional privacy risks to Canadian information. I would note that in their assessment plan, they actually indicate that they intend to conduct such an assessment for phase three. They acknowledge that this is a large expansion of the information that's going to be collected, so I would just recommend that we ensure that they actually follow through on that.

Yes. That's correct.

I'm sorry. I haven't done that sort of cross-cultural, cross-country comparison.

No. I haven't.

My understanding is that the 15-year time frame was negotiated with the Privacy Commissioner of Canada in one of the earlier phases of this. From our perspective, the shortest reasonable time to keep information is always the best. If the 15-year time frame is what has been agreed upon with the Privacy Commissioner, then I think that's fine. We would hate to see it go any longer than that, and we would really like to see the retention periods rationalized between the two countries, because the difference between 15 and 75 years is a lot.

I would echo the same general comment, that information really should only be retained for the period of time it's required. It's a little difficult to understand why entry and exit data would have any value 50 or 75 years after the event.

One example I like to use is CBSA. Most organizations are required to maintain tax records for seven or eight years, and beyond that even the financial aspects of individuals and companies are primarily considered irrelevant.

Certainly that's a good topic for negotiation with the Privacy Commissioner, and I'd like to see it reasonably short, also realizing there's a cost to maintaining that information.

Yes. My understanding is that under the terms of Bill C-59 it is the national security functions of CBSA that will be brought under the aegis of the new integrated review committee. It's not clear to me whether or not the more specifically customs-related activities of CBSA are covered under that. It's actually a bit unclear the extent to which all the activities of CBSA are covered, because the legislation specifies that it will be their national security activities that are subject to review by that committee.

I think those concerns are very minimal. When a Canadian or anyone in Canada enters the U.S. at a land border crossing, it's in fact that individual who's providing his or her personal information to the Government of the United States and essentially agreeing to the laws of the United States with respect to the use and storage of that information. It's really difficult to envision how the fact that the United States then sends a record back to Canada saying this person has just left Canada would impact an honest, law-abiding traveller.