Evidence of meeting #97 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cse.
A video is available from Parliament.
12:15 p.m.
Deputy Minister, Department of Public Safety and Emergency Preparedness
Sometimes if it walks and talks—
12:15 p.m.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
I hear you.
Thank you.
So the RCMP shares the same sentiment that the bill contains the provisions necessary and that it permits, where appropriate, the emergency disruptive activities without warrant that you require?
12:15 p.m.
D/Commr Gilles Michaud
A lot of those authorities exist outside the bill, and we already possess them in order to intervene and disrupt any type of emerging threat.
12:15 p.m.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
So with this bill, CSIS officers would have the authority in defined exigent circumstances to perform disruption activities to prevent imminent attack without a warrant?
12:15 p.m.
Assistant Director, Policy and Strategic Partnerships, Canadian Security Intelligence Service
I'm just conferring with my colleague here.
Merydee, go ahead.
February 13th, 2018 / 12:15 p.m.
Merydee Duthie Special Advisor, Canadian Security Intelligence Service
Threat reduction measures can be carried out with or without a warrant. The bill doesn't address the issue of exigent circumstances. Non-warranted measures can be carried out and, really, the time constraint is internal in terms of all the processes we have to go through and the consultation with our partners to make sure that it is the appropriate course of action.
12:15 p.m.
Conservative
12:15 p.m.
Assistant Director, Policy and Strategic Partnerships, Canadian Security Intelligence Service
Can I just add that in those exigent circumstances it would more than likely be the RCMP that would be acting in those situations.
12:15 p.m.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
Thank you.
I have a little bit of time left, I'm sure.
I have one yes or no question. A previous witness at this committee expressed concern and suggested that if Bill C-59 passes as written—and this applies I suppose to you, Ms. Bruce—then CSE may interfere in the democratic electoral process in another country.
Can you please confirm that CSE has no intention of using its new powers to interfere in any democratic electoral process in any foreign country?
12:15 p.m.
Associate Chief, Communications Security Establishment
Yes, sir, in fact there's an explicit prohibition in the act that ensures that any active cyber operation is not used to pervert or obstruct the course of justice or democracy.
12:15 p.m.
Liberal
The Chair Liberal John McKay
I can think of at least one head of state who would be relieved about that.
Mr. Dubé.
12:15 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
It's not a party position, I imagine.
My question is for CSE, to start, since this was discussed in your presentation, but it's also for CSIS, because it is mentioned in part 4 as much as it is in part 3 of the bill when it comes to the definition of “publicly available information”.
The sense I've gotten from people who know about it better than I do and have been before the committee is that, up until now, there's been no definition in Canadian law and no jurisprudence about what publicly available information is.
You've defined it as the sort of public resources that would be available to anyone in Canada. One example that the Canadian Bar Association offered was that of information being sold by Facebook to advertisers—which arguably would be available to anyone if they were in that business. It's unclear to me whether we're talking about googling someone whose Facebook page doesn't have strong privacy settings, or whether we're actually talking about things that technically are available to anyone, but wouldn't actually be.
Therefore, my first question is, can you drill down that definition? My second one is why is there no definition in the bill or anywhere in Canadian law of this, and should there be a definition in the bill to make that more explicit?
12:15 p.m.
Director General, Strategic Policy, Planning and Partnerships, Communications Security Establishment
There are a few things. One is to make clear that this element is actually making explicit something that occurs now with respect to CSE. We use infrastructure information, which, as the legislation states, can be linked to an identifiable Canadian.
We do that to understand the global information infrastructure in which we operate. We use it in some of the other ways Shelly referred to in her statement, when she talked about how it has to be consistent with our mandate. We're not a domestic investigative agency. We don't build dossiers on Canadians and can't cross-reference data for the purpose of going deeper into any Canadian's private activities.
As well, as mentioned, stolen or hacked information would not be available for our use. I draw attention to Justice Canada and the charter statement it released at the time of the tabling of this bill, which talks about publicly available information and the reasons it is a different kind of beast than the kind of information that has attached to it the reasonable expectation of privacy and would be subsumed within the ambit of the ministerial authorization process.
12:20 p.m.
Assistant Director, Policy and Strategic Partnerships, Canadian Security Intelligence Service
Just with regard to your question on the social media, our collection and use of information is going to continue to be guided by the charter and by an individual's reasonable expectation of privacy, which as you know, is evolving over time. We're going to ensure that that's kept consistent.
Further, with regard to the hacked or stolen datasets, we do not consider those to be publicly available. We could envision a scenario, though, where if our adversaries had access to a hacked or stolen dataset, we might still want to have the ability to retain it, but that would only be through the normal authorization process. We would have to go to the Federal Court if it were Canadians' information, or to the Information Commissioner if it were foreign.
12:20 p.m.
Director General, Strategic Policy, Planning and Partnerships, Communications Security Establishment
May I just add to that?
I'm sorry, sir, but I didn't completely answer your last question.
12:20 p.m.
Director General, Strategic Policy, Planning and Partnerships, Communications Security Establishment
Publicly available information is included in the definitions in part 3, so there is a specific definition.
12:20 p.m.
NDP
12:20 p.m.
Director General, Strategic Policy, Planning and Partnerships, Communications Security Establishment
You don't have the act in front of you, so I'll read it to you:
publicly available information means information that has been published or broadcast for public consumption, is accessible to the public on the global information infrastructure or otherwise or is available to the public on request, by subscription or by purchase.
12:20 p.m.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
All right. Thank you.
When it comes to information acquired incidentally, is there any notion of why that would be retained? Right now, I think, it's in proposed subsection 24(4), which talks about information acquired incidentally through the research that's done. Is there any reason that you would retain that information and not just put it back, throw the fish back in the water, if that's happening?
I'm not clear on the authorizations when it comes to proposed section 24. I'm pretty clear on the authorizations for information acquired incidentally for datasets with CSIS, but I'm less so on part 3.
12:20 p.m.
Director General, Strategic Policy, Planning and Partnerships, Communications Security Establishment
I would just say that, where there is that reasonable expectation of privacy, any information that we use... If there's any element of, say, information notwithstanding the publicly available information definition and those elements, if there is anything that hits that trigger of “reasonable expectation”, that's brought within the ministerial authorization process.
We still will have the element of privacy measures applying to publicly available information in case there is a privacy interest triggered, but again, given that the Privacy Act requires that we only collect, use, and retain information consistent with our mandate, we cannot go outside of that mandate and use it in different ways.
We will be, obviously, reviewed for reasonableness, necessity, and our privacy measures, so the degree to which there might be any concerns going forward on that would be, I would think, captured by that review agency and drawn to our minister's attention.
12:20 p.m.
Liberal
Sven Spengemann Liberal Mississauga—Lakeshore, ON
Thanks very much, Mr. Chair.
Ms. Bruce, in the first round we ran out of time as you were about to delegate to your colleague Mr. Millar on the question of, if that's the right term, rules of engagement for active cyber operations abroad. You then had a follow-up discussion with my colleague Mr. Fragiskatos.
Mr. Millar, is there anything else you'd like to add in terms of clarifying what the framework is for conducting active cyber activities abroad, what the safeguards are?