Thank you, Chair and honourable members.
I'm pleased to appear before this committee, and as mentioned by the chair, I'm accompanied by Mr. Bill Galbraith, the executive director of my office.
Good afternoon, everyone.
I'm pleased to be here today to meet with you and to speak about my work as the commissioner of the Communications Security Establishment, or CSE.
You have a copy of my CV, my resumé, so I won't repeat that, but I would like to emphasize two points to start.
The first point is the value I place on the first decade of my career as a legal officer in the office of the judge advocate general of the Canadian Armed Forces, and subsequently in the active reserves for about 20 years as both defending officer and military judge at courts martial. This experience has helped me to understand CSE’s role, particularly where it involves support for the armed forces.
The second point I would make is that I have found that my decade-long experience as a judge, where independence and impartiality are paramount, has stood me in good stead during more than three years as the CSE commissioner. Determining questions of compliance with the law based on facts—the real facts, not alternative facts—as a result of reviewing CSE activities, is consistent, I would submit, with a judicial career.
If you have looked at my resumé, I have devoted a good part of my life to public service.
Being a retired or supernumerary judge of a superior court in Canada is a requirement set out in the National Defence Act, the legislation that mandates both my office and CSE.
A few key points about the role and mandate of the office I hold are, first, the commissioner is independent and at arm's length from the government. My office has its own budget granted by Parliament. I have all the powers under part II of the Inquiries Act, which give me full access to CSE facilities, files, systems, and personnel, including the power of summons or subpoena should that be necessary.
That is why I'm called a commissioner. It goes back to the Inquiries Act when the office was created back in 1996. At that time the executive director was called the commission secretary. It stayed like that for a few years until the National Defence Act was amended in 2001.
My mandate has three components. The first component is to review CSE activities to determine whether they're in compliance with the law, including with regard to the protection of privacy. This is the largest portion of my work. I have a role in protecting privacy. I know that, in Canada, we have a Privacy Commissioner who looks after all federal departments and agencies. In my case, I simply need to look after CSE, and I focus on this agency.
The second component enables me to receive complaints and to conduct any investigations I consider necessary. I must admit that complaints are rare, which reflects the foreign focus of CSE activities.
The third component gives me the duty to inform the Minister of National Defence and the Attorney General of Canada of any CSE activity I believe may not be in compliance with the law. The Commissioner's external and independent role is focused on CSE. The Commissioner assists the Minister of National Defence, who is responsible for CSE, in his accountability to Parliament for that agency and also to Canadians.
Let me provide you now with four key issues that have my attention.
My primary concern is part V.1 of the National Defence Act, the section that mandates both CSE and my office, and that came into effect as part of the Anti-terrorism Act, when it received royal assent in December 2001. That legislation is now almost 16 years old and needs, in my humble opinion, revision. Let me briefly explain.
First, there are ambiguities in part V.1 that were identified, long go, after that part came into effect. This is not surprising given that it was written in haste in the aftermath of the tragic events of September 11, 2001. My predecessors began calling for amendments over 12 years ago to remove those ambiguities. The ambiguities are, in my mind, straightforward and not controversial.
Since 2001, on the other hand, technology, the threat environment, and the legal landscape have all evolved. The law has not kept up. During the course of reviews of CSE activities, other recommendations for amendments have been made. For example, in the fall of 2015, I recommended that the law give explicit authority to CSE to collect, retain, use, and share metadata. Both the and the accepted this recommendation.
The questions surrounding metadata and privacy, along with the value accorded metadata by the intelligence agencies for their work, make this a more complex issue that must be considered carefully. The challenge for the legislative drafters will be to have language that is technology neutral, so that the law will not become quickly outdated as technology changes.
My second key issue is the broader national security accountability framework and what impact it will have on the role of the CSE commissioner and the office.
The government introduced legislation to create a national security and intelligence committee of parliamentarians. I spoke about Bill before another committee last fall. I believe the greater involvement of parliamentarians who are cleared for access to classified information will help strengthen accountability and public trust. Will this happen overnight? No, but it is, in my view, an important beginning. We have considered how we might begin a productive relationship with the committee and its secretariat. This would, of course, involve the direction provided in the bill as it was presented, that the committee and each review body will take all reasonable steps to co-operate with each other to avoid any unnecessary duplication of work.
There remain, of course, many other departments and agencies that have some role in national security, but are not currently subject to reviews. I think we are talking about 17 departments and agencies right now that are not subject to any type of review.
There are 14. We await further information about the government's intentions for national security accountability mechanisms following the national consultations.
The main point I would make is that regardless of structure and the overall accountability framework, expert review, the type of review conducted by my office, the Security Intelligence Review Committee, known as SIRC, and by the Civilian Review and Complaints Commission for the RCMP, also known as the CRCC, is a necessary and key component.
My third key issue is related to the previous one.
Bill defines cooperation, or information sharing, between the committee of parliamentarians and the existing review bodies. However, the creation of a national security and intelligence committee of parliamentarians will entail, and even require, greater cooperation among the existing review bodies, in addition to our cooperation with the committee of parliamentarians.
At this time, a certain amount of cooperation can occur between review bodies. For example, my predecessor and I have sent letters to my colleague, the chair of SIRC, with recommendations or findings from our reviews of CSE activities that implicate CSIS. SIRC must then follow up on those issues as it deems appropriate. However, as I said before, there should be an explicit authority in the legislation for cooperation among review bodies.
If intelligence agencies must work together, I don't see why we, the oversight bodies, can't work together officially. At this time, we can work together to a certain extent, but when operational information is involved, we can't share it. For example, if we want to conduct a joint review with SIRC, it's very difficult because we can't share operational information.
My fourth key issue deals with transparency. Since the disclosures of highly classified documents stolen from the U.S. National Security Agency by Mr. Snowden, public trust in the activities of the intelligence agencies and the effectiveness of review or oversight mechanisms have been put into question.
Greater information and explanations of why certain activities are conducted by the agencies would help the public debate, as it has in the United Kingdom. There, public reports by the Intelligence and Security Committee of Parliament and by the Independent Reviewer of Terrorism Legislation have provided a great deal of detail that has, among other points, presented an operational case for use of certain authorities and powers.
I believe that most people engaged in this debate accept that secrecy is a fact of life in national security. The intelligence agencies would not be effective if they could not work in secrecy. It is important to point out that it is because of this fact that the review bodies were established in the first place, with security-cleared staff, to monitor what is going on inside the secret agencies and to assess whether activities comply with the law, including the protection of the privacy of Canadians.
Secrecy and the Snowden disclosures have raised scepticism. When the public learns of mass data collection, they want to know whether it is really necessary and whether there are adequate privacy safeguards. Explanations, indeed, would help.
The four issues I’ve described briefly will all help strengthen the accountability of national security activities and strengthen public trust.
In particular, I look forward to working soon with the committee of parliamentarians when it becomes a reality.
Thank you for this opportunity to appear before you today. My executive director and I would be pleased to answer your questions. Anyway, we'll try.
Thank you, Mr. Chair. We're ready to answer questions.
Thank you, Mr. Chair, and my thanks to you, gentlemen, for being with us this afternoon.
Commissioner Plouffe, thank you for your service as a member of the armed forces, as a jurist, and as a public servant.
My questions will be addressing the interests of the Canadian public in this matter, which is complex, and in my view, probably not as well understood as it should be.
You mentioned public trust in your comments, and I think probably the single biggest asset any public institution can have is trust. There are two dimensions of trust with respect to the agency you are overseeing. It's trust vis-à-vis the Canadian public, but it's also intra-agency trust to ensure that intelligence is transferred and that access to information is available.
I'm wondering if you could comment on, first of all, the level of Canadian awareness of the security agencies we have in place and what you think could and should be improved to raise awareness. You mentioned the Snowden affair, and I think that the Snowden affair has increased general awareness of this issue and that there are things going on that we may not see or hear about. It's also in some respect potentially eroded trust. What would make your work easier in terms of the extent of knowledge by the Canadian public of the subject matter you are engaged in?
Thank you, Commissioner.
Part of our task in the commissioner's office is to ensure that we are staying abreast and up to date on what is happening within CSE. We do that through the reviews we're conducting, through briefings we request from CSE in specific areas, and through demonstrations of particular systems we want to examine, whether or not we can determine that there may be risks to compliance or to privacy in those systems or in the activity. We then have a risk assessment to determine where risk is higher for particular activities. Then we assign a priority to begin conducting reviews. We have engaged on contract a computer engineer, for example, to help us better understand the technology.
However, it's incumbent on CSE, through ministerial directives and authorizations, to assist the commissioner's office in the conduct of our reviews. If we were to find that they were not, for example, willing to provide a certain presentation, briefing, or demonstration to us on a particular area we were interested in informing ourselves about, then the commissioner would speak to the chief and say “please”.
That question is asked all the time. How can you effectively review the CSE activities, with, let's say, 10 people, whatever, when CSE is composed of 2,000 people?
As we said previously, we proceed, with regard to a review of activities, with a risk analysis. In other words, every year we look at the situation and decide what we should do with regard to reviews. I'm advised and counselled by experts who have worked previously with CSE, with CSIS, with the public safety department, and so on and so forth. Then we decide, for the following year, what we'll do. We have a work plan and this is what we do.
Again, if we come to the conclusion that we don't have enough resources, I would ask for more. This is what we're doing for next year. We've asked for more resources, because now we feel that we need more people, more experts, to investigate, but you also have to understand that even if CSE is composed of, let's say, 2,000 people, they're not all analysts. There are all kinds of people there dealing with administrative matters, blah blah blah, so this is what I'm trying to say. I think for the time being, I feel confident that I have enough resources to do a good job.