Public Safety Committee on Oct. 24th, 2017

Mr. Chairman and members of the committee, I thank you for the invitation to appear and testify on Bill C-21, an act to amend the Customs Act. I'm going to read my remarks, in a desperate academic attempt to stay within your 10-minute time frame.

Bill C-21 provides statutory powers for the final phase of the entry-exit initiative. As the committee will be aware from previous testimony, the entry-exit scheme dates back to promises made under the Beyond the Border action plan agreed to in 2011 between Canada and the United States. Its provisions are, for now, Canada-U.S.-centric. The Beyond the Border action plan is the latest iteration of agreed schemes for post-9/11 border security, dating back to the safe border accord of December 2001. The Liberal government affirmed its commitment to the entry-exit information plan during a summit meeting between Prime Minister Trudeau and then U.S. President Obama in March 2016.

The entry-exit scheme has had a staged rollout since its first phase, which lasted from September 2012 to June 2013. It served to test the data exchange between Canada and the U.S. at select land border ports of entry. The second phase began in June 2013 for fuller land border crossing information exchange for third country nationals, permanent residents of Canada, and lawful permanent residents of the United States. The final stage of entry-exit, requiring statutory force in Bill C-21, would see the biographical exchange of information on all travellers, including Canadian citizens, at the land border, and the collection of biographical exit data on all air travellers, again including Canadian citizens, leaving Canada.

Biographical data acquired under Bill C-21 would consist, as you've heard, of the page 2 information from Canadian passports presented to Customs and Border Protection officials at U.S. ports of entry when crossing the land border. This information includes, as you'll know, name, nationality, date of birth, sex, and place of birth.

For the air mode, it would involve what is referred to as API/PNR, or advance passenger information/passenger name record, data provided by air carriers and air reservation systems for exit records for air travel. API data includes page 2 biographical passport data plus flight information. PNR derives from airline departure control and reservation systems, and varies depending on the collector. It can include type of ticket, date of travel, number of bags, and seat information.

The information flow that Bill C-21 augments is meant to be automatic. It would involve the passage of electronic data from U.S. CBP at land entry—U.S. entry data becoming Canadian exit data—in near real time. For air travel, it would involve the transmission of electronic passenger manifests from air carriers. All of this information would go to the Canada Border Services Agency for processing.

The backgrounder published by the government when the legislation was first introduced in June 2016 indicates that the entry-exit initiative is meant to serve a large number of objectives. It is not specifically a national security tool, but could, in my view, enhance investigations into the movements of suspected terrorists, foreign espionage actors, and WMD proliferators, among other actors of concerns, and it could provide a useful investigative supplement to other powers available to security and intelligence agencies.

It is worth noting that Mr. Bolduc of CBSA testified before this committee on October 3, making the point that one additional benefit that Bill C-21 powers would provide was “it will bring Canada on par with the rest of the world and our Five Eyes partners. There's a huge, huge benefit for Canada.” This was a direct quotation from Mr. Bolduc. I am not quite sure how to read this enthusiasm, except to say that Bill C-21 measures are, in keeping with a long tradition in Canadian national security, meant to demonstrate our ally worthiness.

In this same vein, it is also important to note the restrictions that the government has said it will put in place in terms of information sharing from the vast pool of data that will be collected under Bill C-21. Land border exit information will inevitably be shared with the United States government, because the information is collected by U.S. CBP agents. We are assured that exit information from the air mode would not be shared with the United States or any other foreign government. Whether this blanket restriction makes sense is questionable, in my view. The committee may wish to consider an amendment to the legislation in this regard, which would bring it more into line with the Secure Air Travel Act, of which I'll speak a little later.

Minister Goodale has testified before this committee that “exchange of information both within Canada and with the U.S. will be subject to formal agreements that will include information management safeguards, privacy protection clauses, and mechanisms to address any potential problems.” These are important promises that presumably will be fulfilled through regulation. Notably absent, however, is any commitment to transparency around the entry-exit initiative. There is no requirement, for example, for any annual report to Parliament and the public on its application and efficacy.

This lack of a transparency commitment is compounded by the current absence of meaningful independent review of CBSA, the core actor that will operationalize Bill C-21.

While government officials have testified that the information flows provided for through Bill C-21 will be seamless and automatic, the real issues, it seems to me, involve analysis of the data by CBSA, retention and security of the data, and information sharing. Bill C-21 legislation is a black box in these regards, leaving much to regulation. There is a question in my mind as to whether the legislation needs to be more forthcoming in three particular areas: data retention schedules, information sharing protocols, and transparency requirements.

Before I come to some modest proposals to improve Bill C-21, a note on a parallel and existing legislative power might be in order. There exists already a limited form of entry-exit controls for air travel, which have been in place since 2007 but which were amended with Bill C-51 in 2015 under the title of the Secure Air Travel Act or SATA. SATA, often referred to as the passenger protect program, creates a list of persons that the Minister of Public Safety “has reasonable grounds to suspect will (a) engage or attempt to engage in an act that would threaten transportation security; or (b) travel by air for the purpose of committing” a terrorism offence. I'm slightly paraphrasing the sections of SATA here.

SATA contains some provisions that are not held in common with Bill C-21, including specific powers and information disclosure, both domestically and through written agreements with foreign states and entities. These are under sections 11 and 12 of the Secure Air Travel Act. These sections, incidentally, are not proposed to be amended in Bill C-59 as that bill comes forward, presumably, to this committee.

There is also an important statutory reference to retention of data received from air carriers or air reservation systems in the SATA legislation, and this requires:

The Minister of Transport must destroy any information received from an air carrier or an operator of an [air] reservation system within seven days after the act on which it is received, unless it is reasonably required for the purposes of this Act.

That's section 18 of SATA. In other words, the minister is empowered to retain records of air travel for the listed persons but not for the general public.

To bring Bill C-21 into closer alignment with SATA on data retention and information sharing protocols and to enhance transparency and ensure independent review of its powers, I would suggest the following responses to Bill C-21, which the committee might want to take under consideration:

First, Bill C-21 should adopt the explicit SATA references in sections 11 and 12 for information sharing domestically and internationally. I think this would be an improvement on doing this by regulation.

Second, Bill C-21 should adopt a reasonable retention schedule for entry-exit data based on expert government advice on the minimum period necessary for the retention to meet the many different objectives of the entry-exit initiative as listed in the backgrounder document published with the bill in 2016. A seven-day retention cycle as provided for in SATA would be self-defeating, but so would overly lengthy retention periods. CBSA must not become a data swamp.

Third, Bill C-21 should contain a mandatory requirement for annual reporting to Parliament on its provisions by CBSA.

Fourth, the committee should encourage the government to be explicit about its plans for the conduct of regulatory review of CBSA national security activities, either through an independent body or captured by the paragraph 8(1)(b) mandate for the proposed national security and intelligence review agency, NSIRA, under Bill C-59. This may require future clarifying amendments to Bill C-59.

Fifth, the committee should encourage the government to finalize its plans for an independent complaints mechanism for CBSA. There have been discussions under way about this for some considerable time now.

Sixth, and finally, I would encourage the committee to hold early hearings on CBSA and its rapidly expanding mandate. Doing so might serve as a foundational exercise for the new national security and intelligence review agency when it is created.

Thank you for your time and attention.

Thank you, sir. It's a good question.

I guess I would say that it is a tool. I think it's a modest tool. It's probably not important as some existing tools that have already been in place for some time, like the passenger protect program, for example. It's primarily an investigative tool. It would allow the tracking of individuals who might be of concern under the different portions of Bill C-21 . It would only be a supplementary tool. I don't see it as a magic bullet in any sense. I think it's a useful tool. It fills a gap. I don't think any government intelligence or security agency is going to look to it as a principal instrument. It's just a supplementary investigative technique.

I'm sure it could be helpful, particularly in the sense that one has to keep in mind that, of course, it's not impossible to track through various existing means individuals who may be on the move and may be of concern for various reasons to the Government of Canada. You could do that through interactions with foreign partners, through organizations like Interpol, Interpol notices, and so on, but it's always nice to have your own. This is where I would put the benefit of entry-exits. It's always nice to have your own source of information about exit data so that you don't have to rely entirely on the assistance of foreign partners, at least in some initial tracking of where people might have gone. That requirement to be wholly dependent of foreign partners becomes more problematic the more difficult the foreign partner might be.

Yes, in theory at least, with a couple of provisos. One is that the information flow is going to be massive. In terms of the land border information exchange, it's not in real time. It's in near-real time. My understanding is that the CBSA officials will get batches of data on a kind of 15-minute cycle, but that remains to be seen because the full entry-exit initiative has not been tested. It certainly would be an advance.

The challenge, I think, is going to be in terms of how well CBSA is going to be able to digest that information flow.

On that, I would say two things, sir.

One is that the Canadian federal government is in a good position in terms of data security protection, in the sense that it is able to call in the services of the Communications Security Establishment, which is well regarded as a cybersecurity organization.

The question then becomes the fit between what are going to be called the CSE's defensive cyber-operations and the CBSA's capability to lock down its data. We have that advantage. In part this is why I would encourage the committee to at some point take a close look at CBSA. If you look back at previous reports of Auditors General over a number of years, you'll see that CBSA has struggled with its electronic data and data systems, both at the border and at headquarters. It's not clear to me whether they've overcome those struggles or whether those struggles are going to become only worse as they're flooded with this kind of information.

I don't have an expert view at all on how well they're going to be able to manage that data flow. It's been tested to some degree, but not fully. I think it's certainly something that needs to have a watch kept on it. That's partly why, in addition to encouraging the committee to look specifically at CBSA, which is probably the fastest-growing, most expansive security and intelligence agency in the Canadian government, I would also encourage thinking around Bill C-21 that would require annual reporting on the impacts of the bill.

I think I would agree with the CBSA testimony that I've seen before this committee to the effect that the provisions of Bill C-21 will not make the border stickier in the sense of holding back the flow of people or goods. As I see it, the challenge is how CBSA at headquarters is going to be able to handle the data flow, and by “handle” it, I mean really two things: one, make sense of it, and the other, store it in some systematic way and secure it in some systematic way. I'm sure they have thought that through, but they haven't yet in practise met that full challenge, because they haven't seen the full flow of the data come yet.

The initial testing in phase one suggested that they were pretty capable of handling a relatively limited flow of data back and forth across the land border. Whether they're fully capable of handling both the land border exchanges and the exit air information I think is an important question that I don't have an answer to, but I think it's worth posing to them directly.

Let me just turn to SATA very quickly, if I could. There are short sections.

Section 11 of the SATA indicates:

the Minister may disclose information obtained in the exercise or performance of the Minister's powers, duties or functions under this Act for the purposes of transportation security or the prevention of the travel referred to

Basically, that's indicating that this is a ministerial responsibility. It doesn't specify how exactly the minister may create regulation around domestic intelligence sharing or information sharing under C-21, but at least it puts the spotlight on the ministerial responsibility there, specifically with regard to domestic federal government information sharing. Given that there's a lot of concern around this and that it will likely resurface when C-59 comes into discussion again, some clarity in that regard would be important.

More importantly, from my view, the notion that we are going to create an entry-exit initiative for air travel and not share it with any of our close partners or any foreign state strikes me as a nonsense and something that is likely to be abused because it is a nonsense. I would prefer to see something like SATA section 12, which says:

The Minister may enter into a written arrangement relating to the disclosure of information referred to in section 11 with the government of a foreign state, an institution of such a government or an international organization

It's setting down rules around how the minister can interact with foreign partners in the sharing of entry-exit data, which is the sensible way to go, rather than having a blanket restriction that will ultimately face pressure and potential abuse.

Skepticism may be too strong a word, and I deliberately didn't say I was skeptical about it. I just said I was puzzled by the degree of enthusiasm. “Huge, huge benefit” is a little over the top, frankly, in a couple of ways.

First, referring back to a previous question, this is a supplementary investigative tool. It's not going to change the view of our allies and partners about how well we perform security functions in Canada. It's not going to have a huge impact in that regard. Certainly it would be something that the United States government would look to see capped off, given the long history of this initiative.

Also, in the context of our recent discussion, if entry-exit information in the air travel or land travel modes is not going to be shared with foreign partners, I don't—to be honest—really see how this is going to be a “huge, huge benefit” for Canada, except to say we're doing it.

No. My fear is perhaps shared by many, and it's a fear about where the current American administration is heading on border security and a whole number of issues, like its unpredictability and the fact that it doesn't, at the moment, at least, appear to look at Canada as a very close ally and partner.

Very briefly, Mr. Chair, the key here, as you say, is an analytical capacity for CBSA. CBSA, over the years since it was created in 2004, has been growing in intelligence analysis function, but it's still relatively small, untested, and immature. If they're going to have this volume of data, they really have to have a strong intelligence analysis capability, which goes way beyond algorithmic applications and is about human talent and interaction with the rest of the security intelligence community. That's another untested part of CBSA.

No, Mr. Dubé. It would clarify it in two particular ways. It would clarify that the minister would be responsible for any sharing arrangements that were undertaken using this data coming in to CBSA with other federal government departments. That would obviously intersect a bit with SCIDA provisions of Bill C-59, which will come up before this committee.

The more important part in my view is to allow the information collected through this initiative to be shared under written agreements that would be composed by the minister to be shared with select foreign partners. Those are the section 12 provisions of SATA.