Public Safety Committee on Dec. 5th, 2017

Datasets are not robustly defined, so the definition of “dataset” is fairly open-ended. It's an electronic record characterized by a common subject manner, without further resolution as to what that means. Left with a vague definition, I turn instantly to what checks would exist to rein in an egregious, overbroad understanding of what a dataset might be, as compared, say, to the Security of Canada Information Sharing Act, where I agree with what was said before: that concept is overbroad as well.

Here this overbreadth is controlled by in-advance authorizations by independent individuals: the intelligence commissioner in relation to authorizing classes for purposes of initial acquisition; scrutiny then by a limited, designated employee, for purposes of then approving, at least for Canadian datasets; retention of that dataset by a Federal Court judge, who is entitled to superimpose requirements on how it can subsequently be queried and exploited. The definition is broad, but there's a dynamic means of limiting its scope so that there are individuals independent of government who can look over the shoulder of the service and make sure it has not run amok.

Sure, just very briefly. I would say, just in a slightly broader context, that the world of intelligence collection and national security protections that we live in now is one that absolutely requires intelligence agencies around the world to engage in the collection of datasets. I think it's better to have this presented to the public in legislation as an acknowledged fact of life in the intelligence world. The challenge is how to control the use of datasets, which mostly consist of metadata.

From my perspective, the legislation does not do a bad job in that regard. The biggest concern I have about it is that the legislation would like to draw distinctions between foreign datasets and Canadian datasets, and surround each of them with different legal protections. I understand that in theory. In practice—and I've raised this with CSIS and CSE officials—I'm not sure how that's going to be done because we're talking about a much more blended pool of information.

I would encourage the committee to hear some more precise testimony from officials involved in thinking through the dataset problem, as to whether you can really distinguish between these two things. If you can't, the legal surround that we're trying to provide for it doesn't make a whole lot of sense.

My single concern really relates to the circumstances in which the director of CSIS can authorize a query of a dataset that hasn't gone through the regular retention process involving the Federal Court, for instance. There's no indication in the statute as to what the service can then do with the product of that query. For regular queries there are rules about retention and in what circumstance they can be retained. For exigent queries those rules are not there so I'm not sure whether this is a glitch in the drafting or whether this is intended. It seems to me it would be very easy to pull the results of those queries into the regular retention regime but at present I don't see how it does so.

Off the top of my head I would just make it clear that the results of queries done in exigent circumstances under proposed section 11.22 should be tied into the rules on retention that you find in proposed section 11.21. Obviously, that's going to require some tinkering.

I wasn't party to the drafting of Bill C-51 so I can't comment on the circumstances that drove its manner of drafting. Certainly, Bill C-51 opened the door to the service doing threat reduction of any sort, which before was a disputed issue. We know from what the director has said approximately 30 times now that, I believe, the service is engaged in threat reduction, albeit never crossing the line to threat reduction that might violate a Canadian law or transgress a charter right. Bill C-59 opens the door to a more assertive use of threat reduction where it could violate a Canadian law, which would require a warrant, but sets up a warrant system that I think would survive an inevitable Constitutional challenge. It broadens the ambit of useful powers for the service.

I can give you an example where this may come up. In the course of an investigation, the service is engaged in an intelligence investigation, and it decides for a public safety reason it needs to swap out an explosive materiel in the possession of a target with an inert material so that it no longer poses a security risk as the service continues its security intelligence operation. Now it's possible for the service to get with warrant authorization to do threat reduction to break and enter for the purpose of swapping out that material, and Bill C-59 makes it more likely that confronted with that request the court would think this regime was plausible.

There are a couple of things.

One is that false positives are a regrettable reality, I suppose, of any list of this kind, whether it's a Canadian list or a list composed by our allies. An effort has to be made to try to ensure that the number of false positives are as small as possible and if false positives do emerge it's a recourse mechanism.

As you'll be aware, the government is working on regulation and technical practices that would allow the government to control the SATA, the Secure Air Travel Act list, rather than it being in the hands of airlines to determine who should board or not board, in consultation with the government. It would be a centralized function. I think that's a very necessary reform. Government officials have testified before this committee that it's going to be a complex reform and it's going to take some time. It's certainly worth pressing the government to make sure that this key measure takes place. As it takes place, it will make the government responsible for false positives rather than a murky responsibility shared between airlines and the government itself and they will be better placed to try to address it. They're engaged in temporary measures of redress, which may or may not be satisfactory, but the overall solution, I think, will have to come with that centralized mechanism and the funding for it.

There are two sorts of false positives. There's the false positive that stems from when the person has the same name as someone who's on the list, and that's the discussion we've been having as of late. That's where a redress system—“I'm not really that person”—is effective. There are also false positives in the sense of a person who is the person the government has targeted, but who feels they've been wrongfully listed. At that point, there's an appeal process, but the appeal process is done in a secret environment where there's no special advocate. One of the recommendations is to have a special advocate who can provide an adversarial challenge in that appeal process.

Not completely, Monsieur Paul-Hus, and I think perhaps the government would recognize that. It's creating a different circumstance in which the minister has to respond to appeals for redress. That's a small fix, but the real fix goes beyond the legislation and is contained in steps the government has promised to take but hasn't yet unveiled.

Both Craig and I have testified previously on Bill C-22, and my view is that it's important to be realistic about what is proposed in C-22 as a practice, and what is necessary. Any time you give a committee of parliamentarians access to highly sensitive information, you have to surround that access with controls and protections. The challenge is to make sure that, in doing that, you don't intrude too much on the work of the committee itself.

From my perspective, C-22 reaches a reasonable balance in that regard. I don't regard the control, as you put it, of the Prime Minister's Office over the information flow as something that is likely to impact, in practice, the ability of the committee to do its work. It has many challenges ahead of it. It has only just recently, as you know, been set up in terms of members that are going to appear. The executive director has not yet been appointed. It's very much in its infancy, but my view is basically that the legislation should hit a reasonable balance until we learn otherwise through experience.

The amendments I'm proposing would affect the foreign intelligence authorizations and the cybersecurity authorizations that are alluded to in proposed section 23, to ensure that in those two contexts information that triggers a constitutional interest is steered through the authorization process by a minister and then the intelligence commissioner.

My amendments do not then also superimpose that authorization process on defensive cyber or active cyber. This is confined only to the surveillance competency of the Communications Security Establishment.

My preference is to steer every new change through the intelligence commissioner process. The issue here is that these authorizations are broadly textured. At present, for example, for foreign intelligence I understand there are three ministerial authorizations and one cybersecurity authorization. They cover a whole orbit of specific activities.

If what the minister is proposing is novel and new, then it should be steered through the regular process involving the intelligence commissioner. If it's an extension of an existing authorization, I'd have to think about that. There is the prospect, of course, that the conduct of the minister is always subjected to back-end review by the NSIRA. I'd have to go back to the act to see how narrow the circumstances are for the minister to renew unilaterally.