Skip to main content Start of content

NDDN Committee Meeting

Notices of Meeting include information about the subject matter to be examined by the committee and date, time and place of the meeting, as well as a list of any witnesses scheduled to appear. The Evidence is the edited and revised transcript of what is said before a committee. The Minutes of Proceedings are the official record of the business conducted by the committee at a sitting.

For an advanced search, use Publication Search tool.

If you have any questions or comments regarding the accessibility of this publication, please contact us at accessible@parl.gc.ca.

Skip to Document Navigation Skip to Document Content






Standing Committee on National Defence


NUMBER 041 
l
1st SESSION 
l
42nd PARLIAMENT 

EVIDENCE

Tuesday, March 21, 2017

[Recorded by Electronic Apparatus]

  (1605)  

[English]

     We'll get the ball rolling here. I apologize for being late. We had some votes to take care of, and we actually have another one with bells at 5:15, so I suspect we will be leaving shortly after that.
    I would like to welcome the Honourable Jean-Pierre Plouffe, commissioner of the Communications Security Establishment, and J. William Galbraith, executive director.
     Thank you very much for appearing today to talk to us about the organization and your role as its commissioner. You have the floor for as long as you need to brief us. I believe that would be 10 minutes.
    I'm pleased to appear before this committee, and as mentioned by the chair, I'm accompanied by Mr. Bill Galbraith, the executive director of my office.

[Translation]

    Good afternoon, everyone.
    I'm pleased to be here today to meet with you and to speak about my work as the commissioner of the Communications Security Establishment, or CSE.

[English]

    You have a copy of my CV, my resumé, so I won't repeat that, but I would like to emphasize two points to start.

[Translation]

    The first point is the value I place on the first decade of my career as a legal officer in the office of the judge advocate general of the Canadian Armed Forces, and subsequently in the active reserves for about 20 years as both defending officer and military judge at courts martial. This experience has helped me to understand CSE’s role, particularly where it involves support for the armed forces.

[English]

    The second point I would make is that I have found that my decade-long experience as a judge, where independence and impartiality are paramount, has stood me in good stead during more than three years as the CSE commissioner. Determining questions of compliance with the law based on facts—the real facts, not alternative facts—as a result of reviewing CSE activities, is consistent, I would submit, with a judicial career.
    If you have looked at my resumé, I have devoted a good part of my life to public service.

  (1610)  

[Translation]

    Being a retired or supernumerary judge of a superior court in Canada is a requirement set out in the National Defence Act, the legislation that mandates both my office and CSE.

[English]

    A few key points about the role and mandate of the office I hold are, first, the commissioner is independent and at arm's length from the government. My office has its own budget granted by Parliament. I have all the powers under part II of the Inquiries Act, which give me full access to CSE facilities, files, systems, and personnel, including the power of summons or subpoena should that be necessary.
    That is why I'm called a commissioner. It goes back to the Inquiries Act when the office was created back in 1996. At that time the executive director was called the commission secretary. It stayed like that for a few years until the National Defence Act was amended in 2001.

[Translation]

    My mandate has three components. The first component is to review CSE activities to determine whether they're in compliance with the law, including with regard to the protection of privacy. This is the largest portion of my work. I have a role in protecting privacy. I know that, in Canada, we have a Privacy Commissioner who looks after all federal departments and agencies. In my case, I simply need to look after CSE, and I focus on this agency.
    The second component enables me to receive complaints and to conduct any investigations I consider necessary. I must admit that complaints are rare, which reflects the foreign focus of CSE activities.
    The third component gives me the duty to inform the Minister of National Defence and the Attorney General of Canada of any CSE activity I believe may not be in compliance with the law. The Commissioner's external and independent role is focused on CSE. The Commissioner assists the Minister of National Defence, who is responsible for CSE, in his accountability to Parliament for that agency and also to Canadians.

[English]

     Let me provide you now with four key issues that have my attention.
    My primary concern is part V.1 of the National Defence Act, the section that mandates both CSE and my office, and that came into effect as part of the Anti-terrorism Act, when it received royal assent in December 2001. That legislation is now almost 16 years old and needs, in my humble opinion, revision. Let me briefly explain.
    First, there are ambiguities in part V.1 that were identified, long go, after that part came into effect. This is not surprising given that it was written in haste in the aftermath of the tragic events of September 11, 2001. My predecessors began calling for amendments over 12 years ago to remove those ambiguities. The ambiguities are, in my mind, straightforward and not controversial.
    Since 2001, on the other hand, technology, the threat environment, and the legal landscape have all evolved. The law has not kept up. During the course of reviews of CSE activities, other recommendations for amendments have been made. For example, in the fall of 2015, I recommended that the law give explicit authority to CSE to collect, retain, use, and share metadata. Both the Minister of National Defence and the Minister of Justice accepted this recommendation.
    The questions surrounding metadata and privacy, along with the value accorded metadata by the intelligence agencies for their work, make this a more complex issue that must be considered carefully. The challenge for the legislative drafters will be to have language that is technology neutral, so that the law will not become quickly outdated as technology changes.
    My second key issue is the broader national security accountability framework and what impact it will have on the role of the CSE commissioner and the office.
    The government introduced legislation to create a national security and intelligence committee of parliamentarians. I spoke about Bill C-22 before another committee last fall. I believe the greater involvement of parliamentarians who are cleared for access to classified information will help strengthen accountability and public trust. Will this happen overnight? No, but it is, in my view, an important beginning. We have considered how we might begin a productive relationship with the committee and its secretariat. This would, of course, involve the direction provided in the bill as it was presented, that the committee and each review body will take all reasonable steps to co-operate with each other to avoid any unnecessary duplication of work.
    There remain, of course, many other departments and agencies that have some role in national security, but are not currently subject to reviews. I think we are talking about 17 departments and agencies right now that are not subject to any type of review.

  (1615)  

    There are 14. We await further information about the government's intentions for national security accountability mechanisms following the national consultations.
    The main point I would make is that regardless of structure and the overall accountability framework, expert review, the type of review conducted by my office, the Security Intelligence Review Committee, known as SIRC, and by the Civilian Review and Complaints Commission for the RCMP, also known as the CRCC, is a necessary and key component.

[Translation]

    My third key issue is related to the previous one.
     Bill C-22 defines cooperation, or information sharing, between the committee of parliamentarians and the existing review bodies. However, the creation of a national security and intelligence committee of parliamentarians will entail, and even require, greater cooperation among the existing review bodies, in addition to our cooperation with the committee of parliamentarians.
    At this time, a certain amount of cooperation can occur between review bodies. For example, my predecessor and I have sent letters to my colleague, the chair of SIRC, with recommendations or findings from our reviews of CSE activities that implicate CSIS. SIRC must then follow up on those issues as it deems appropriate. However, as I said before, there should be an explicit authority in the legislation for cooperation among review bodies.
    If intelligence agencies must work together, I don't see why we, the oversight bodies, can't work together officially. At this time, we can work together to a certain extent, but when operational information is involved, we can't share it. For example, if we want to conduct a joint review with SIRC, it's very difficult because we can't share operational information.

[English]

     My fourth key issue deals with transparency. Since the disclosures of highly classified documents stolen from the U.S. National Security Agency by Mr. Snowden, public trust in the activities of the intelligence agencies and the effectiveness of review or oversight mechanisms have been put into question.
    Greater information and explanations of why certain activities are conducted by the agencies would help the public debate, as it has in the United Kingdom. There, public reports by the Intelligence and Security Committee of Parliament and by the Independent Reviewer of Terrorism Legislation have provided a great deal of detail that has, among other points, presented an operational case for use of certain authorities and powers.
    I believe that most people engaged in this debate accept that secrecy is a fact of life in national security. The intelligence agencies would not be effective if they could not work in secrecy. It is important to point out that it is because of this fact that the review bodies were established in the first place, with security-cleared staff, to monitor what is going on inside the secret agencies and to assess whether activities comply with the law, including the protection of the privacy of Canadians.
    Secrecy and the Snowden disclosures have raised scepticism. When the public learns of mass data collection, they want to know whether it is really necessary and whether there are adequate privacy safeguards. Explanations, indeed, would help.

  (1620)  

[Translation]

    The four issues I’ve described briefly will all help strengthen the accountability of national security activities and strengthen public trust.
    In particular, I look forward to working soon with the committee of parliamentarians when it becomes a reality.

[English]

    Thank you for this opportunity to appear before you today. My executive director and I would be pleased to answer your questions. Anyway, we'll try.

[Translation]

    Thank you, Mr. Chair. We're ready to answer questions.

[English]

    Thank you for your comments.
    We are a little pressed for time. If we're disciplined, we'll be able to stick to the plan and everyone can get their time.
    Having said that, Mr. Robillard, you have the floor.

[Translation]

     Thank you, Mr. Chair.
    Welcome, everyone. My questions will be in French.
    I know your mandate is to ensure the Communications Security Establishment activities comply with the laws of Canada. However, during this francophonie week, I want you to talk about the French fact within your agency.
    Since you have all the powers of the Inquiries Act, you have unfettered access to all CSE facilities, documents and personnel. You have broad access to the agency and some perspective on it. Can you explain how CSE, as a federal entity, handles bilingualism? More importantly, can you explain how French affects CSE's relationship with our Five Eyes allies, which operate in English?
    Thank you, Mr. Robillard.
    I'll start by talking about my own organization.
    Most, if not all, our employees are bilingual. Our office isn't large, but most employees and the executive director are bilingual. I'm bilingual, as are most of the investigators or review officers. In our meetings, French has a place, especially since the commissioner is francophone. He is bilingual, but he is of francophone origin.
    It's difficult for me to talk about what happens at CSE, because I don't participate in its activities. The question should instead be addressed to the chief of CSE. I have an oversight role. I monitor and investigate CSE activities to ensure that they comply with the law and that the privacy of Canadians is protected.
    Your 2015-2016 report indicates that you “recommended that CSE keep the Minister informed, on an annual basis, of its activities under part (c) of its mandate to transmit [certain reports] to CSIS.”
    In 2014, CSE moved to a new facility, which was built just steps from the Canadian Security Intelligence Service.
    What do you think of the current physical proximity of the two agencies' headquarters? Is it likely to influence information sharing between the two entities?

  (1625)  

    First, I would say the government or Parliament should answer this question, since the government decided to build the buildings in that location. Since the two agencies are side by side, it's easier for CSIS and CSE to meet and hold discussions. This is especially true since, according to the National Defence Act, CSE—which I monitor—can assist CSIS, under part (c) of its mandate. The two agencies are side by side, which facilitates discussions and meetings.
    Thank you.

[English]

     Do I still have time?
     Yes, you do.
    I will share my time with one of my colleagues.
    You have about three minutes.
    Ms. Alleslev.
    I think it's very important that you spoke about working with the new parliamentary committee when it arrives. In your report you highlight the need to clearly define the respective roles to avoid confusion, duplication of effort, and wasting of resources. I'm interested to know if you would expand on that a bit and give us some idea of where you think that overlap in roles might be, and how we might address that to ensure we have the most effective operation we can.
    I guess I'm looking for your three critical success factors to ensure we achieve the aim that we're working to achieve.
    With regard to Bill C-22 and the provision in that bill where we talk about the duplication, this is the suggestion that I've made. I'm not saying I'm the only one who has made that suggestion, but I made that suggestion a long time ago. If we want to be effective, the committee of parliamentarians and the expert review committees must not duplicate each other. As a matter of fact, more than that, we should be complementary to each other.
    For the time being, not having seen how this new committee will operate, it's pretty difficult for me to tell you exactly how we will do it, but we have already made the offer so that when the secretariat is created, we will be there to assist them in any way, shape, or form, so that we can help them with regard—
     You are the expert, so give us some thoughts. We're looking for your opinion. What do you think the critical success factors would be, and how would you see those roles being delineated between the two organizations?
    Thank you very much. When you say I'm the expert, I think we should qualify that. I'm the expert in law. I'm a retired judge.
    And in oversight.
    No. I'm a retired judge. I'm not an expert in technology, and I'm not an expert with regard to CSE activities. To give you an example, when I was sitting as a judge and presiding at a murder trial, let's say, I had expert witnesses who would come around and explain to me what it was all about. It's the same thing here. In my office I have all kinds of expertise to advise me on what to do.
    Again as I said, we want to co-operate with this new committee because it'll need some assistance to start with, I suspect. We want to assist it, but as I said, right now it's pretty difficult for me to tell you exactly in what form we will do it.
    I'm going to have to pass the floor over to Ms. Gallant. We might be able to circle back to that after.
    Ms. Gallant, you have the floor.
    Thank you for your service to Canada over all these years in the many ways you have served. You may be aware that a couple of weeks ago this committee was travelling to Washington and while we were there we had the great WikiLeaks dump on CIA spying techniques. My question is whether or not your organization is aware of any infringements of Canadians' privacy due to the CIA's hacking of consumer products, the Internet of things.

  (1630)  

    All I can say is, in my case, last year I met with my counterpart in the States, the NSA inspector general, with regard to privacy protection. As you probably know, between the Five Eyes there is an agreement that nobody will spy on the others' citizens, and therefore, they will respect the privacy of Canadians in the other countries. I wanted to receive assurances from the NSA inspector general, who is my counterpart, in that regard. I did receive assurances that the Americans would treat Canadians as their own citizens. Therefore, they would not spy on them. They would protect the privacy of Canadians.
    Am I answering your question?
    As much as you can. Do you view the CIA as a threat to Canadians' electronic privacy in light of the information that was exposed by that WikiLeaks dump?
    If I might respond, that would be up to the American inspectors general, our counterparts there. Our focus is CSE's activities and the information that CSE shares with its counterpart, the National Security Agency in the United States. The commissioner's office has conducted an in-depth review several years ago on the sharing of SIGINT information. A number of recommendations that the commissioner made addressed some of the concerns that were identified in that.
    As far as the CIA goes, that is not something that we would be dealing with. We're dealing with CSE and its sharing of information with its allies and ensuring that Canadians' privacy is protected in the course of that sharing.
    Until last year, your organization shared Canadians' metadata personal information with the Five Eyes partners, which includes the United States. With the increased focus on the United States by the international hacking community, how are you ensuring...and what can you tell us? As parliamentarians, we represent Canadians from the personal point of view, their privacy, as well as that of businesses. How are you ensuring the personal information of Canadians that you're passing on?
    First of all—
    There's no passing on of Canadian information amongst the Five Eyes?
    First of all, it's not our organization, so the commissioner's office is the watchdog over the Communications Security Establishment.
    Okay, so not your agency, but—
    We have the same—
    —it's the people you are in charge of overseeing.
    Right. We have the same concerns. The commissioner has the same concerns as you're expressing.
    With recent changes in the United States, for example, the commissioner met with the chief of CSE last month. Is that right, Commissioner?
     Yes, indeed.
    It was to inquire whether or not any of the changes, the executive orders, in the United States will have an impact on CSE sharing with its allies. The commissioner received assurances from the chief. We have written and requested evidence from CSE that the long-standing agreements that they have amongst the signals intelligence agencies continue, and we continue to focus our reviews on the protection of Canadians' privacy in the information that is shared.
    CSE described metadata as the context but not the content of a communication. Can you explain the difference with a real-world example for the benefit of the committee?
    What metadata could include might be a question you would want to ask CSE for the details of.
    Metadata can include identity information. Not all metadata necessarily carries a privacy interest. That is what we're looking for when we're conducting a review of CSE's activities. It could involve an email address, a telephone number, an IP—internet protocol—address, and other things. Metadata has evolved over the years, and may evolve in the future. We want to make sure that CSE's collection of metadata, which can include metadata with a privacy interest, has all the safeguards applied to it as with any other information or intersection of private communications that they are allowed to do under ministerial authorizations. That's what we're focused on.
    The commissioner, I believe, made reference earlier to a recommendation that he made to the Minister of National Defence that CSE be given explicit authority to collect, use, retain, and share metadata.

  (1635)  

    As the oversight for CSE—and the CSE provides advice, guidance, and services to help ensure the protection of electronic information and of information infrastructure of importance to the Government of Canada—how confident are you in the CSE's ability to prevent an OPM-style hack, the United States Office of Personnel Management?
    I'm going to hold it there and turn the floor over to Mr. Garrison.
    You have the floor.
    Thanks very much, Mr. Chair.
    Thank you for being here today.
    You talked about amendments to your legislation, so I want to ask about that legislation because it seems to me that you are, as an office—I guess “not sufficient” is the wrong term—significantly less independent than some of the other commissioners. In terms of reporting, you report directly to the minister on an annual basis.
    For me as a parliamentarian, I have some questions about how independent it is when you report—
    I don't report to the minister, I'm very sorry.
    Your annual report goes to the minister.
    Yes. It goes through the minister because the minister, by statute, has to deposit that report before both houses, but I don't report to the minister. The only reason I deal with the Minister of National Defence is that he is the boss of CSE.
    There's no discussion of your reports with the minister before they become public.
    No, not at all.
    There's none whatsoever.
    There's no discussion with the minister with regard to my reports, not at all, and no discussion with CSE either. Otherwise, I wouldn't be independent.
    That was my question.
    The legislation then requires that those reports simply pass through the minister's office in being deposited in Parliament. They don't—
    The public annual report is what I'm talking about.
    This is the public annual reports, but you also do other reports from time to time that go only to the minister.
    Indeed. For example, I think last year we had—what?—seven classified reports sent to the minister. Let's say we review some CSE activities in depth and then we make recommendations to the minister in a classified report. This is sent to the minister only, and naturally a copy goes to CSE.
    But you have in those no authority to order any actions by the minister.
    No. I make recommendations.
    You make recommendations.
    Just to reassure you, all recommendations that were made for the last 10 or 15 years with regard to privacy have been accepted. With regard to the other recommendations, I think 94% of all the recommendations that I and my predecessors have made have been accepted.
     In the annual report or in the other reports...?
    I mean all the recommendations in general. Normally the recommendations would be indicated in the annual report. There is a summary indicated in the annual report. As I said, 93% or 94% of all the recommendations over the last 15 years have been accepted by the minister and by the agency. I think that's a good record.
    One of the things the legislation allows for is the minister to authorize CSE, under certain conditions, to intercept Canadians' communications.
    There are certain exceptions. Do you review all of those authorizations?
    Yes, I do.
    Are those reported in your annual report or only in the confidential reports to the minister?
    I think it's both. Yes. If you look at the last annual report, you'll see that I discuss that.
    As I said, the classified reports are not public. They are sent to the minister, but there's also mention in the public report that I submit every year to Parliament.

  (1640)  

    I think you can see the concern and what I'm driving at. If the minister can authorize CSE to do things it doesn't normally do, we have to make sure that someone independent is examining each of those and reporting back on the success.
    We do. As I said in my opening remarks, that's the reason we exist.
    Okay.
     This is one of the reasons we exist.
    I have a point of clarification, sir. For the classified reports that the commissioner signs that go to the minister, the annual report is made up of an unclassified version of those classified reports. Recommendations that will be included in a classified report to the minister, who is responsible for CSE and who can tell CSE to implement them, if there is some disagreement.... The unclassified version and, generally, those recommendations will also be in the annual report.
    Another very specific concern that's been raised has to do with the Five Eyes, and this was raised a bit earlier. There are sometimes allegations that the Five Eyes, which are not authorized to spy on their own citizens, can and have in the past asked other agencies of the other countries to do that for them and then shared the information. Do you have any ability to review that practice? Would you know about that practice?
    As I say, the Five Eyes are not supposed to spy on each other's citizens. They have arrangements. MOUs do exist in that regard between those countries. If this were to happen and I were aware of it, I would investigate it. But as I said—
    But there is no process and I know these parallel the ministerial authorizations. There is no process for authorizing exceptions to those that you would be aware of.
    Again, we have to bear in mind, also, that each of those countries are sovereign countries. At some point in time they might decide to do otherwise.
    That's my concern.
    Yes. That's a fact of life.
    In the memorandums of understanding, you could have arrangements such that when and if that does happen, there would be notification. Then you'd be able to review those cases, but there is no process for that at this time.
    If I could, Chair, the reviews that we conduct.... The questions that you're asking would be well directed to CSE to provide—
    I'm asking if you can review that.
    We will review the activities of CSE. The commissioner has no jurisdiction, of course, to review the activities of NSA or GCHQ, or the Australian or New Zealand equivalents. But we do have the ability to ensure that whatever activity CSE is conducting and the interceptions they are conducting, comply with the laws of Canada and with the internal policies and agreements that they have.
    As you might know, CSE cannot target Canadians or persons in Canada. It's a foreign agency.
    Except with ministerial permission, and except if one of the parties to communication is outside the country. These are pretty big exceptions.
    Yes. Let's say CSE targets a foreign fighter in Syria. In doing that, they might unintentionally or incidentally—
    Collect information about Canadians.....
    They are entitled to—
    No. This is where the minister, through an authorization, would permit them to do it. Otherwise, they would commit a criminal offence, under the Criminal Code of Canada. It's a private communication, so therefore—
    Sorry, sir.
     That's okay. We have to wrap that one up.
    Mr. Spengemann, you have the floor.
    Thank you, Mr. Chair, and my thanks to you, gentlemen, for being with us this afternoon.
    Commissioner Plouffe, thank you for your service as a member of the armed forces, as a jurist, and as a public servant.
    My questions will be addressing the interests of the Canadian public in this matter, which is complex, and in my view, probably not as well understood as it should be.
    You mentioned public trust in your comments, and I think probably the single biggest asset any public institution can have is trust. There are two dimensions of trust with respect to the agency you are overseeing. It's trust vis-à-vis the Canadian public, but it's also intra-agency trust to ensure that intelligence is transferred and that access to information is available.
    I'm wondering if you could comment on, first of all, the level of Canadian awareness of the security agencies we have in place and what you think could and should be improved to raise awareness. You mentioned the Snowden affair, and I think that the Snowden affair has increased general awareness of this issue and that there are things going on that we may not see or hear about. It's also in some respect potentially eroded trust. What would make your work easier in terms of the extent of knowledge by the Canadian public of the subject matter you are engaged in?

  (1645)  

    That's why I talk about transparency. For the last three years, I've been pushing and pushing and pushing CSE to release more information and to give more explanations to the Canadian public about their activities. If you don't do that, it's pretty hard to maintain public trust.
    There is all kinds of information that could be released. It could be statistics. It could be all kinds of things. I'll give you an example. The word “metadata” four years ago was secret. We could not talk about metadata. It was secret. Today it's not, so if it's not today, it wasn't then.
    CSE is like CSIS—they are secret organizations. We have to change the culture. The watchdogs, including me, are there for that purpose. It's to push for more transparency. Also, I must admit that in the last three years CSE has made a lot of effort to become more transparent. They have released more information. They participate, for example, in some conferences across the country. Their website has been revamped. They give more information to the public. I think this is one of the ways to do it, because if you keep everything secret, people become skeptical.
    What about other institutions that could contribute, not just CSE itself but perhaps this committee of parliamentarians or the press? What's your sense of the extent to which other factors could be helpful?
    As you know, my mandate deals with CSE. However, I think the principle I'm talking about here, the transparency, would apply also to this new committee. I think this new committee would in my view enhance public trust. It's a good thing. It's a step forward in the right direction.
    That's helpful. Thank you for that.
    You mentioned earlier that you're not an expert in the technical subject matter of what CSE does, but could you give us your view, for the benefit of Canadians who may not be familiar with it, of the general operational setting of foreign intelligence or foreign signals gathering? What's that work like and what's changing? What's changed in the last five years, and what's accelerating?
    I'm assuming part of the problem is simply the growing mass of data that agencies have to sift through to distill any kind of valuable information. How much is that a constraint and what other factors come into it when you talk about the fairly rapid and fluid environment?
    That's quite easy for me. I'll ask my expert to answer.
    Thank you, Commissioner.
    Part of our task in the commissioner's office is to ensure that we are staying abreast and up to date on what is happening within CSE. We do that through the reviews we're conducting, through briefings we request from CSE in specific areas, and through demonstrations of particular systems we want to examine, whether or not we can determine that there may be risks to compliance or to privacy in those systems or in the activity. We then have a risk assessment to determine where risk is higher for particular activities. Then we assign a priority to begin conducting reviews. We have engaged on contract a computer engineer, for example, to help us better understand the technology.
    However, it's incumbent on CSE, through ministerial directives and authorizations, to assist the commissioner's office in the conduct of our reviews. If we were to find that they were not, for example, willing to provide a certain presentation, briefing, or demonstration to us on a particular area we were interested in informing ourselves about, then the commissioner would speak to the chief and say “please”.
     Have you come under capacity constraints, strictly quantitative capacity constraints, in terms of the amount of work you have to oversee?
    The latest departmental plan for the office, which we're required to submit to Treasury Board, indicates that the commissioner will be requesting an increase in the resource base. That, of course, is not a large amount of money, but the commissioner frequently asks me if I have enough resources to conduct an adequate review of CSE. That is something we look at.
    CSE is a technology-intensive organization, so the number of people isn't the same as for, say, human intelligence organizations.

  (1650)  

    Thank you.
    I think that's my time, Mr. Chair.
    That's your time.
    We're going to go to five-minute questions.
    Mr. Gerretsen, you have the floor.
    Thank you very much, Mr. Chair.
    Mr. Plouffe, you talked about the fact that you've been—I think you said—“pushing and pushing and pushing” the CSE to provide more info to the public. It implies that there has been push-back. Has there been push-back, and if so, what has that been?
    Are you suggesting that they're not co-operating?
    No. When you say I've been pushing and pushing and pushing them to do something, it implies that you've been really struggling with them to do it.
    I see what you mean. Maybe it's not the right choice of words.
    What I'm trying to say is that I'm suggesting to them very strongly, every year in my public annual report and every time I meet the chief, that they should be more and more transparent. Since the Snowden—
    What's their reaction to that?
    As I said, you have to change the culture, because before the Snowden revelations or disclosures, nobody would talk about CSE, nobody would talk about my office, and nobody would talk—
    Do you feel that the culture is changing?
    I think it is changing, honestly, yes, because they have made improvements in the last.... I can only talk about the last three years because I've been there for the last three years. They've made a lot of effort to release more information and they are releasing more information, but as I say, nothing is perfect. To be very candid, they could do better.
    Do I meet some resistance at times? Yes.
    How could they do better?
    They could do better.
    How?
    By releasing more information and giving more explanations.
    I'll give you just one example. Two years ago, they didn't want to release any statistics with regard to the number of private communications that were incidentally intercepted. I put on some pressure and finally they did release it. Do you know what the number was? It was 66. They intercept millions of communications and there were only 66 dealing with private communication.
    I don't want you to put words in their mouths, but you're obviously talking to them. What's their rationale for that? Why was it difficult for you to convince them to release that?
    Why were they saying, “Well, no, we don't want to release this” until you were able to—
    I'm not saying it's difficult. It just means I have to convince them.
    Being a secret organization they're not used to releasing information. This isn't their culture, so you have to convince them that since Snowden, the world has changed. I think they realize that, but as I say, I have to make suggestions. For example, if you look at the U.K. right now, they are releasing much more information than we are here in Canada. It's the same in the States.
    You said that your main responsibility is to make sure that the activities of CSE comply with the law.
    Do they comply with the law?
    Most of the time they do. They always have, except once, two years ago. They did not comply with the law.
    Are you confident in saying that they comply with the law?
    Yes, as the executive director mentioned, our reviews are based on risk analysis. By “risk” I mean the risk to compliance and the risk to the protection of the privacy of Canadians. Every year, we sit down and ask, “Based on what we know, what type of activities should we review this year?” It's based on the risk.
    On the other hand, there are certain matters or activities that we review yearly.
     Yes.
    For example, everything dealing with privacy matters, we will review yearly. We have PIF, the privacy incident file. We review that every year. When privacy is involved, we are very careful. We do all kinds of reviews with regard to privacy.

  (1655)  

     I want to ask you one more question on Snowden, since you brought that up. What's your concern there? I realize that a lot of information is being released, and that the public therefore needs to be educated as to why this information is being collected. Is the concern with Snowden about what he's been distributing, or is it about the individual? A lot of people will ask why Snowden is only releasing information on the U.S. and hasn't seemed to do anything on many other countries.
    What's your concern there? Is it the fact that it could be anybody, or is it directed at him specifically?
    As much as I'd love to hear the answer to that—and I really would—I'm going to have to give the floor over to Mr. Paul-Hus. Maybe someone can go back to that question.

[Translation]

    Hello, Mr. Plouffe and Mr. Galbraith. I'll try to be brief.
    There's a great deal of talk about privacy. You said that your job is to ensure the privacy of Canadians is respected. However, I'd like to talk about the other aspect. Can you confirm that the CSE team is actually skilled? Do its members have the professional skills and resources needed to protect Canada? Last year, the director of CSE mentioned that the Government of Canada's computer systems were attacked at least a million times a day. We know that, at this time, cyber attacks are becoming the greatest threat around the world. Do you think we have the necessary skills?
    Again, it's not that I don't want to answer you, Mr. Paul-Hus. However, I can't speak for CSE as such. Maybe this question should be addressed to—
    As an analyst, what do you say when you see this?
    Do you think these people have the skills?
    Absolutely. This agency has all sorts of experts.
    When our own experts meet with them, they have discussions among experts. For example, if we send one of our expert investigators, the expert investigator will go see the analyst. The investigator will ask the analyst to explain what he's doing and to show him certain things.
    You're comfortable saying that Canada is well organized and has the necessary skills.
    Also, we've learned that the Minister of Public Safety and Emergency Preparedness wants to review the Anti-terrorism Act, 2015 and amend certain parts of it. If the act is amended, will CSE's capacities be reduced? It would have a negative impact on Canada's security.
    That's a hypothetical question. I apologize again, but I haven't seen the desired amendments.
    To answer your question as I understood it, the final goal is to ensure a balance between the security of Canadians and the protection of privacy. This is no easy task, but a balance must be maintained. If too much focus is placed on protecting privacy and security is neglected, that's not good. The opposite is also true.
    When it comes to CSE, for example, I can say that I'm trying to maintain the balance.
    You're the watchdog of this side of things.
    At this time, if the government makes amendments and you determine that the amendments may affect security by reducing capacities, you'll report this to the government or the opposition. Isn't that your job?
    Yes, when it comes to CSE.
    Ultimately, CSE is a secret agency. We can't ask any questions about the agency's work. However, you're here to tell us whether you can verify that, as a whole, Canada and Canadians are well protected, because the agency's members can't talk. Without revealing any secrets, can you confirm whether things are going well?
    Yes, but you must know that I don't have the mandate to assess the agency's performance. Normally, an inspector general does this. For example, in the United States, this role exists.
     I also think that SIRC, which looks after CSIS, is supposed to review performance. I don't have this mandate. I don't assess CSE's performance, as such.
    It's more a matter of legislation, to see whether security—
    Yes, of course. My role is to say whether the activities comply with the law and whether they adequately protect the privacy of Canadians. No Canadian wants to be spied on.
    Of course.
    There was talk of international operations. We'll be sending troops to Latvia, and we'll likely send CSE elements and other elements with the Canadian Forces communications. One of the threats in Latvia will be cyber attacks. Is Canadian law applicable during foreign operations? Or does another international law govern how CSE operates?

  (1700)  

    CSE is governed by part V.1 of the National Defence Act.
    It covers Canada.
    Yes. However, as I mentioned a few minutes ago, CSE is a technology agency that operates abroad. Other security agencies, such as the police, may occasionally ask for CSE's help. That's also part of CSE's mandate. CSIS, in particular, can ask for CSE's help if it's spying on someone abroad but doesn't have the necessary technology. CSE will agree to help, but only if the agency is legally authorized to act. If that's the case, CSE will assist CSIS.

[English]

     Mr. Fisher.
     Thank you very much, and thank you, gentlemen, for being here.
    I'm going to stay on a line of questioning that's already been brought up by Mr. Garrison and Ms. Gallant. In 2013-14, your predecessor had made note that the CSE did not have a way to determine absolutely that the other Five Eyes organizations were keeping their promise to protect Canadian data.
    You talked about the golden rule that no one in the Five Eyes will spy on each other's people. Do you feel there have been some improvements since that comment was made in a report by your predecessor? Are there checks and balances now in place, or were they always in place and he just wasn't aware of them and wasn't able to guarantee they were there?
    You're talking about my predecessor. Are you referring to Mr. Robert Décary?
    Yes.
    Rather than stating whether or not there have been improvements, the reviews we conduct on CSE's relationship with its partners look at it from the Canadian perspective and Canadian laws. The agreement is that the Five Eyes partners will respect the laws of the country in terms of privacy.
    Two years ago Commissioner Plouffe, following up on a review of the signals intelligence sharing CSE does with the National Security Agency, travelled to Washington and met with his counterpart the inspector general of the NSA to seek assurances that indeed the NSA was protecting Canadians' privacy as per agreements.
    As Commissioner Plouffe mentioned earlier, we're talking about sovereign nations and there is no way to be able to force that. The inspector general has a similar role, has a much broader role, in fact, than the CSE commissioner, but part of that role is similar in terms of complying with the laws of the United States and seeking assurance that Canadian privacy was protected. Any action that would be done with that information would be preceded with a request. It would have to go back to CSE before they would be able to do anything with that information.
    In passing, I do meet occasionally with my Five Eyes counterparts. We had a meeting last year in Washington. This year it's in Ottawa in September. All the watchdogs meet and we discuss all kinds of problems. Therefore, you know—
    Essentially it's a trust thing.
    The question you're raising is discussed among us.
    Yes, but essentially there's no official check or balance. There's a trust component. You spoke about NSA and that's one of the other Five Eyes. I assume you mean you've had conversations with your counterparts, all of the Five Eyes, or the other four.
    Essentially, we just have to trust that the data is—
    There are arrangements, or MOUs, between the Five Eyes. I know that an MOU is an MOU, and it's an arrangement. It's not a contract as such. It's like a gentlemen's agreement, if I may use the expression. But still, it's there. Like you say, it's based on public trust.

  (1705)  

    Do you, as the commissioner, see any or have you already made any recommendations on how you could tighten that up?
    Do you want to talk about this?
    There was a recommendation that the commissioner made to the minister to provide direction to CSE regarding his expectations for protection of privacy with respect to information that is shared with CSE's partners. We are monitoring that in terms of CSE's development. Obviously, CSE will have to be the one to take that direction from the minister. The commissioner reminded the minister and CSE of that recommendation to provide ministerial direction for the sharing of information.
    Okay.
    That's your time.
    That was fast.
    Five minutes goes quickly.
    Mr. Bezan, you have the floor.
     Commissioner and Mr. Galbraith, thanks for joining us today and for the hard work that you've both demonstrated throughout your entire careers.
    That's especially true at the tender age of 74.
    You're looking fantastic.
    It's a young 74, though.
    I want to go into your earlier comments more, regarding how the threat and the technology has evolved but the legislation and the laws in Canada have not. In your role as a supernumerary justice, what are the changes in the legislation, whether it's in the Security of Information Act or the National Defence Act, and what should we, as legislators, be considering as ways to make sure that CSE is able to keep up with the threats and the technology and to maintain and improve upon the privacy protection of Canadians?
    As I mentioned in my opening remarks, the law was enacted in 2001 following the events of September 11. In the meantime, the technology has evolved. The legal landscape has evolved. The threat environment has evolved. The law has not kept up. That's why I'm pushing for those amendments to the National Defence Act. We've been waiting for the last 12 years.
    My predecessor, the Right Honourable Antonio Lamer, said that since it was a temporary affair—this was in 2005—temporarily he would abide with the law as interpreted by the Department of Justice. Sometimes my predecessors and I don't necessarily agree with the legal interpretation given by the Department of Justice. Therefore, it's because of those ambiguities and so on.... I'm told that those amendments that we've been asking for over the last 12 years should be put forward in the near future.
    Would any of those amendments revolve around the ministerial authorizations, whenever those requests come in from CSE?
     It's with regard to ambiguities to start with, and also I made a recommendation to modify my role as CSE commissioner. At the present time the minister, through an authorization, could authorize CSE to intercept private communications abroad incidentally or unintentionally, if you wish. In my case, I review those activities after the fact. Some academics in particular and some media have criticized that approach saying that maybe CSE, like CSIS, should be subject to going to the Federal Court to ask for a judicial warrant. I find that almost impossible because, first of all, when CSE targets somebody outside Canada, for example, at the time, they don't know the names. They don't have any particulars, so it's really hard to obtain a judicial warrant when you're dealing with a foreign agency.
     I suggested to the minister that a commissioner, as a retired judge with a lot of experience and some knowledge about the activities of CSE, maybe should act before the fact. In other words, when CSE makes a demand to the minister with regard to an authorization to intercept, let's say, private communications—and in the National Defence Act there are conditions that the minister must respect—I'm suggesting to the minister that maybe when he receives that request from CSE, it should go through me and I should have a look at it.
    It's not a judicial warrant, because I'm a retired judge. Nonetheless, you would have some judicial eyes look at the conditions, look at the request, and advise the minister he shouldn't sign something that doesn't meet the conditions in the National Defence Act. In other words, it's to change the timing of my intervention. I should do it before and not after the fact. This would help the minister with regard to his accountability to Parliament and to the Canadian public.

  (1710)  

    Thank you.
    Ms. Alleslev, you have the floor.
    Thank you very much.
    Again, thank you for being here.
    I'd like to follow up a bit on the question that was asked by my colleague. Are all the recommendations you are making to amend the National Defence Act in the public domain?
    Not right now.
    The National Defence Act is currently in the public domain, is it not?
    Yes, I agree, but let's say CSE's procedure to do that would be for CSE to prepare a memorandum to cabinet suggesting that the National Defence Act be amended and then the cabinet would look at that and approve or disapprove whatever.
    As an oversight body, you are looking at how the organization complies with the laws, and then you're identifying gaps in the law as well. Would it not be something that you would make a recommendation on, and because it doesn't pertain to anything secret, it could be public and therefore we, as parliamentarians and as a society, could understand where the gaps are in the National Defence Act and what recommendations and what laws need to be in place to comply appropriately?
    This is all in my annual report, which is public.
    All the recommendations to the National Defence Act...?
    No, but for example, pages 43 to 44—
    Yes, I read them, but I didn't see 12 recommendations on the National Defence Act, so maybe I missed them.
    There are not 12.
    You just mentioned that you were proposing 12 changes to the National Defence Act.
    No, I'm sorry, I don't think I said 12.
    Okay, I apologize.
     I'm saying my predecessor and I have made recommendations over the last 12 years for amendments to the National Defence Act. I'm told that those recommendations are accepted, but I'm waiting to see whether or not they will be accepted on paper. I have been told verbally that this is coming soon, but I don't have access to the memorandum to cabinet. As you all know, this is confidential. As soon as it is approved then it's part of the public domain and then everybody will know about it, including you and me.
    Thank you.
    Further to that, you are the last line of defence in terms of the accountability and oversight of the organization CSE because, of course, it's a secret organization, so there's no media. There's no other opportunity. How do you measure performance in your organization in your ability to conduct that oversight?
    I understand the organization is 2,000-plus people. You're eight or nine people. It's an incredibly complex organization, so, yes, you can report on the things you're touching on. How do you know what you don't know, and how are you measuring performance yourself so that Canadians know that the oversight is a comprehensive and robust oversight?
    That question is asked all the time. How can you effectively review the CSE activities, with, let's say, 10 people, whatever, when CSE is composed of 2,000 people?
    As we said previously, we proceed, with regard to a review of activities, with a risk analysis. In other words, every year we look at the situation and decide what we should do with regard to reviews. I'm advised and counselled by experts who have worked previously with CSE, with CSIS, with the public safety department, and so on and so forth. Then we decide, for the following year, what we'll do. We have a work plan and this is what we do.
    Again, if we come to the conclusion that we don't have enough resources, I would ask for more. This is what we're doing for next year. We've asked for more resources, because now we feel that we need more people, more experts, to investigate, but you also have to understand that even if CSE is composed of, let's say, 2,000 people, they're not all analysts. There are all kinds of people there dealing with administrative matters, blah blah blah, so this is what I'm trying to say. I think for the time being, I feel confident that I have enough resources to do a good job.

  (1715)  

    Thank you very much.
    I know you wanted to say something but I'm going to have to pass the floor to Mr. Garrison for the last question.
    Thanks very much, Mr. Chair.
    I want to go back to my concern about the other four “Eyes” and the sharing of activities and maybe requests that go back and forth.
     I'm asking about your ability to review the co-operation with those four. I know you've said very explicitly you can't obviously review the other four, but I'm still almost obsessed with that question of the joint activities and whether you can review those joint activities, or whether those joint activities are not subject to review by you.
    I don't necessarily review joint activities, but I'll review activities where CSE is sharing information with its Five Eyes partners. Then I'll review it because CSE is involved.
    Okay.
    This is how I discovered last year that CSE was not acting legally or lawfully. They shared what we call CII, which is Canadian identity information, with some Five Eyes partners without minimizing the information. For example, you cannot name the person. You should say a Canadian, for example. There was a problem and they didn't do it.
    On the reverse of that, do you have the ability to review when information is coming from the other four eyes?
    If it's coming to CSE, I'll review it, no problem.
    So you can do that.
    Have you regularly reviewed the MOUs between your organizations to make sure the MOUs promote the observation of the law?
    I'm not involved with regard to reviewing MOUs. I'm aware of the existence of MOUs. I might have access to MOUs if, when reviewing CSE activities, it becomes relevant to do it, on a need-to-know basis. As I say, I have full—
     It would seem to me that examining those MOUs would give you insight into whether it raised questions of violating Canadian law.
    Do you want to answer?
    We have access to the agreements between the Five Eyes. CSE has shared those with us, so we're able to see what in fact they have agreed to. Our reviews will look at whether CSE is complying with it and what assurances they are obtaining from their partners that they are complying with those long-standing agreements.
    Are you able to review the long-standing agreements themselves and make recommendations to CSE if they indicate a direction that might violate Canadian law?
    If there were a question raised in an agreement that the commissioner believed compromised privacy or something, he would make a point of that.

  (1720)  

    Normally—
    I'm not asking these questions to say that you're not doing your job. I'm asking to be reassured by the job you are doing.
    The arrangement, or the MOU that we're talking about, would be concluded, let's say, between CSE and NSA in the States. As Mr. Galbraith has said, we have access—I was forgetting about this—to those arrangements or MOUs.
    Is that it?
    Yes.
    Okay.
    Gentlemen, thank you both for your collective years of public service and for coming to talk to us today about CSE.
    Have a good day. The meeting is adjourned.
Publication Explorer
Publication Explorer
ParlVU