I'm happy to go first. Thank you, Mr. Chair, and thank you to the committee for this invitation.
My prepared remarks are about the CSE and CSIS bulk data collection.
In his testimony to this committee, Professor Craig Forcese made a very important point about the thresholds for authorizations for CSE data collection.
Proposed section 23 of what would be the new CSE act sets out that activities carried out by the CSE in relation to its various mandates must not be directed at Canadians or persons in Canada. This is of course a continuation of the current situation in which the CSE is required not to direct its activities in this fashion.
Nevertheless, it is well established and conceded that the information of Canadians and persons in Canada is collected, because some collection, and by no means insignificant collection, is unavoidable due to the complexity of communication networks. Thus, Canadians' information is collected incidentally or unavoidably.
Part of the new regime proposed for the protection of Canadians' privacy interests is to require that the CSE seek a ministerial authorization that is then approved by the intelligence commissioner. The trigger that initiates this process of authorization and intelligence commissioner vetting would occur when the CSE's activities would otherwise contravene an act of Parliament.
We agree with Professor Forcese that this trigger is under-inclusive, a view that is now echoed by Citizen Lab, the Canadian Internet Policy & Public Interest Clinic, and others.
As Professor Forcese notes, there is concern that the proposed threshold would not ensure that the authorization process would, for example, be initiated for activities that incidentally collect Canadians' metadata, which is obviously of critical importance.
Craig Forcese proposes a more expansive trigger, in which the authorization process is required for activities that would otherwise contravene any other act of Parliament or “involve the acquisition of information in which a Canadian or person in Canada has a reasonable expectation of privacy”, a threshold that has already been referenced.
Our problem with this proposed addition is simply this: that the question of what precisely attracts “a reasonable expectation of privacy” is typically the central dispute in almost any emergent privacy issue, and this threshold would be adjudicated internally by the CSE.
We know, not least from years of reports from the CSE commissioner, that disputes over the interpretation of legal standards and definitions have been of ongoing concern, and national security activities in general are plagued with the “secret laws” problem of having words in a statute or directive interpreted in sometimes obscure or deeply troubling ways, and ways that may not be unearthed for years. Therefore, a trigger that involves a colourable definition is inherently problematic, in our view.
However, we read the latest CSE commissioner's report as indicating that the CSE has conducted its signals intelligence activities under just three ministerial authorizations since 2015. It appears that these authorizations tend to authorize a broad sphere of activities. Our understanding that the frequency and scope of “incidental collection” suggests that most, or even all, of the authorizations are apt to at least implicate Canadians' data. In other words, there are only a small number of authorizations, and almost all are apt to require the authorization regime of vetting by the intelligence commissioner.
Surely, then, it is best and still entirely feasible and efficient—to ensure that this authorization process does indeed examine everything that we are hoping it will—to simply have one uniform process of authorization approval by the intelligence commissioner for all classes of activities undertaken outside of the technical and operational assistance mandate, which is, as you know, its own sphere of activities.
For everything else, we recommend that the question of threshold be resolved by eliminating the need for a threshold and ensuring that every class of activities authorized be subject to the new accountability procedure of ministerial authorization and vetting by the intelligence commissioner.
I will turn now to bulk data collection by CSIS. It was most certainly our concern coming out of the national security consultation that the government response to the CSIS bulk data scandals, if you will, would be to simply empower the agency to do what it had previously been doing unlawfully without having a meaningful democratic debate about mass data acquisition in the context of national security. We certainly appreciate that having bulk data collection squarely on a legislative footing does improve transparency, but we are deeply concerned with the low threshold that is proposed in Bill C-59 and that this critically important matter is, quite frankly, receiving insufficient attention in the context of a large omnibus bill.
It was only recently that SIRC did its first-ever audit of the bulk data collection programs of CSIS. SIRC is of the view that appropriate bulk data collection by CSIS can occur under CSIS's current section 12 standard of strict necessity for data collection. In our view, it is hard to imagine a body that would be better positioned to assess this, both from the perspective of accountability and respect for the rule of the law and from the perspective of the operational needs of CSIS.
SIRC's proposal for the standards and criteria for bulk data collection is a three-part test: that there be a clear connection to a threat to the security of Canada, that no less intrusive means are available, and that there be an objective assessment of intelligence value.
Now, compare that standard with the standard set out in Bill C-59. Bill C-59 allows CSIS to collect publicly available datasets, with no definition of that term, on the basis of a bare relevance standard. With respect to Canadian datasets—which, we need to remember, are expressly defined as datasets that contain personal information expressly acknowledged as not directly and immediately relating to activities threatening the security of Canada—the test for their acquisition is simply that the results of their querying or exploitation could be relevant and that this assessment must be reasonable.
It may be argued that this vast scope for bulk data collection is at least mitigated by the requirement for judicial authorization for the retention of those datasets, but rather than providing significant gatekeeping, this authorization simply compounds the effects of the very low standards that lead up to it. Personal information that does not directly and immediately relate to threats to the security of Canada is allowed to be collected if it “could be relevant”, if this assessment is “reasonable”, and if the judge then decides that the dataset can be retained on the standard of “is likely to assist”.
These, then, are the thresholds of what most Canadians would call mass surveillance, and we believe most Canadians would reject these thresholds as shockingly low standards. Thus, a genuine opportunity to meaningfully shape these surveillance practices is being squandered in Bill C-59.
The proposed standard represents a mass erosion of the privacy protections from the strict necessity standards that currently apply. We recommend that the CSIS bulk data provisions be revised to be expressly within the strict necessity standard, and not in exception to it, and that the criteria for bulk data collection, such as that fashioned by SIRC as implicitly principled and workable, be set out within the legislation.
Those are our prepared remarks. Thank you.