Thank you, Mr. Chair and members of the committee, for inviting me to discuss the Security of Canada Information Sharing Act, or SCISA, which was enacted under Bill C-51, the Anti-terrorism Act, 2015.
When Bill C-51 was introduced in Parliament in early 2015, I expressed strong reservations, which remain true today. In my remarks this morning, I'll briefly summarize these reservations and will then encourage you to review national security information sharing issues more broadly. Finally, I'll explain the review we have undertaken of how SCISA has operated so far and how other legal authorities are used by federal institutions to share information for national security purposes.
My first point is that the justification for SCISA should be made clearer. I recognize at a general level that greater information sharing may sometimes lead to the detection and suppression of security threats, but we have yet to hear a clear explanation, with practical examples, of how the previous law prevented the sharing of information needed for national security purposes. A clearer articulation of the problems with the past law would help define a proportionate solution.
Second, I remain concerned that SCISA authorizes information to be shared where it's merely relevant to national security goals. Setting such a low standard is a key reason why the risks to law-abiding citizens are excessive. If the necessity or strictly necessary criteria is adequate for CSIS to collect, analyze and retain information, as has been the case since its inception, it's unclear to us why this standard can’t be adopted for all departments and agencies with a stake in national security. Necessity is the international privacy standard.
On a side note, the issue of standards leads me to the preamble of the act, which you discussed with government officials last week. This preamble indicates that information is to be shared among departments in a manner that is consistent with the charter and the protection of privacy. However, this is not a true legal standard, but rather a wish or a pious hope.
As we indicated in our submissions to Parliament last year, we believe that effective privacy protection requires more than guiding principles that don't have the force of law. It requires the adoption of real legal standards. The obligation to disclose information in a manner that is consistent with privacy protection should therefore become an enforceable legal standard, as is the case with the rules governing the disclosure of information. To that end, SCISA should adopt not only the principle of necessity, but also that of proportionality.
Third, independent review of information-sharing activities is incomplete, given that 14 of the 17 receiving institutions under SCISA don't have dedicated review bodies. A parliamentary review, such as the one suggested by Bill , will help but is insufficient. All departments involved in national security also need to be reviewed by independent experts.
Fourth, retention rules should be clarified. If the government maintains that the sharing of information about ordinary citizens—such as travellers or taxpayers—is necessary to identify new threats, national security agencies should be required to dispose of that information after these analyses and when the vast majority of individuals have been cleared of any terrorist activities.
Fifth, the law should require written information agreements. Required elements to be addressed in these agreements should include the personal information being shared, the specific purposes for the sharing, and limitations on secondary use or onward transfer. Other measures should be prescribed by the regulations, such as safeguards, retention periods and accountability measures.
While SCISA was an important addition to the Canadian legal framework related to national security, it is intended to be one element of a much larger whole. Limiting your review to SCISA will give you a very incomplete picture of national security information-sharing activities. I would therefore encourage you to also examine information-sharing with international partners and domestic information-sharing under legal authorities other than SCISA. Knowing more about other authorities will give you a better insight into whether SCISA is really necessary.
When Bill was tabled, I committed to examining and reporting on how its implementation would ensure compliance with the Privacy Act and inform the public debate. Our findings following the first phase of our review of the first six months of SCISA implementation are tabled in the most recent annual report. We have identified a number of concerns and offered recommendations. The OPC has concluded that the privacy impact of the new authorities conferred by SCISA was not properly evaluated during implementation, and we recommended that formal privacy impact assessments be performed.
The OPC also found several weaknesses with a Public Safety Canada guidance document intended to help departments implement SCISA. Although Public Safety Canada agreed to improve the guidance, no changes have been made a year after the OPC provided recommendations aimed at minimizing privacy risks. During our review, the OPC sent a questionnaire to all federal institutions to determine how often SCISA was used and, more particularly, whether it had been used to share information about persons suspected of terrorist activities or about law-abiding citizens. Most institutions told us that they had not used SCISA during the review period, but that they relied, instead, on other authorities.
So, there is information sharing for national security purposes, but most institutions told us that they are relying on other sources of authority than SCISA.
Five institutions told us that they have used SCISA for a total of 58 disclosures and 52 receipts of information. Institutions also told us that all SCISA information-sharing activities in the first six months following implementation concerned persons suspected of terrorism.
During phase 2 of our audit, we will review departmental records to verify whether that information is accurate and whether information sharing under authorities other than SCISA concerned suspects or persons not suspected of terrorist activities.
The goal of this review is to provide as clear a picture as possible on the use of SCISA, and other laws, in order to inform public and parliamentary debate as we head toward the government's planned review of Bill . We would like that review of Bill C-51 to occur with a clear, factual, evidentiary basis, as opposed to simply a discussion of principles, however important the principles are.
With that, I would be happy to take your questions.
Chair and members of the committee, I am grateful for the opportunity to appear before you to provide some views on the Security of Canada Information Sharing Act, or SCISA, which is now embedded in Canadian law following the passage of Bill , the omnibus anti-terrorism legislation introduced by the previous government in 2015.
provisions came into force, as you know, in August 2015. The Liberal Party promised to repeal the problematic elements of Bill C-51 and is currently engaged in the process of public consultations on elements of Canada's national security, but the government's plans with respect to any possible amendments to SCISA, in particular, have not been revealed.
SCISA appeared as part 1 of Bill in 2015. I was invited to appear before the Standing Committee on Public Safety and National Security on March 24, 2015 to testify on Bill C-51 as a whole. In my testimony, I divided the measures advanced in Bill C-51 into three baskets: first, those elements that can genuinely advance security capabilities in a reasonable and proportional way; second, those that do not advance our security capabilities or fail to maintain the vital security-rights balance; and third, those that, I think, deserve to be put on hold for deeper reflection.
In March 2015, I placed SCISA, or part 1 of , in the first basket, of appropriate security enhancements. I also argued, and I quote myself, that SCISA “would greatly benefit from some detailed amendments...to bring greater clarity, heighten...efficacy, reduce...overbreadth, and bolster the security-rights balance.” Despite considerable public criticism of SCISA, no amendments were made to the act before it was passed into law. Nothing that has come to my attention since the passage of SCISA in unaltered form changes my essential view—that SCISA can and should be amended.
In terms of advancing security capabilities, the purpose of SCISA is, presumably, to try to ensure appropriate information sharing through exhortation, through a broadening of the information-sharing regime to encompass a large number of listed entities, and to allow for expanded information sharing under an altered definition of “threat”.
The committee has heard from eminent legal academics versed in national security matters, from a civil society actor, from the Canadian Civil Liberties Association, from government officials, and, earlier today, from the Privacy Commissioner of Canada. The perspective I offer is informed by my understanding of how intelligence and security systems regulate their information systems. I'm sorry if what follows sounds a little philosophical, but it has a practical point.
The specifics of SCISA need to be examined in the context of five guiding principles that should inform any effective information-sharing system for intelligence and security purposes within government. These principles have long been recognized and are as follows: the need to know, the need to share, the need to secure, the need to avoid information overload, and the need to be accountable. These needs shape an effective and reasonable information-sharing regime in a democratic system. They encompass lawful mandates as well as privacy and civil liberties protections. They are meant to interact to ensure balance between over-ingestion and under-ingestion of information. They are deceptively simple in the literal sense of their meaning, but not easy to operationalize as a package.
I want to just run through these five principles briefly.
The “need to know” principle refers to limits on information sharing that are shaped by the lawful mandates and operational needs of the agencies involved and by the requirements of information security. The more sensitive the information—the more that information might reveal details of intelligence sources and methods—the more intensively does the “need to know” principle come into play. “Need to know” can also be infected by non-operational imperatives, including bureaucratic politics, management styles, and personal proclivities on the part of officials working in the security and intelligence system. It is important that the “need to know” principle operate appropriately as a limiting factor, but it is equally important that the principle not be shaped by extraneous dynamics.
The “need to know” provisions in SCISA are generally weak and under-defined. Paragraph 4(e), under “Guiding principles”, sets out in a very general way the authorized actors in the revamped information-sharing regime. Subsection 5(1) of SCISA posits a need to know based on the notion of relevance, again a very general and potentially overbroad measure.
While it would never be possible to strictly operationalize a “need to know” function, because to do so might be to hamstring any information-sharing regime, SCISA errs, in my view, on the side of unhelpful generalizations, compounded by the implication of subsection 5(2) that, once information sharing is set in motion, it can continue down an undetermined path of further disclosure.
One remedy to consider would be to import a version of the limitation set out for CSIS in its act in section 2, through the use of a strictly necessary yardstick for information sharing.
Justice Noël, in a recent Federal Court ruling on CSIS warrants and the retention of metadata, has reminded us of the historical context of that CSIS-limiting clause. As Justice Noël indicated, it may be time to review the strictures of the CSIS Act, but if the strictly necessary provisions of the act are deemed worthy of maintaining, then their applicability to an information-sharing regime for national security purposes seems, to me, obvious.
Then there is the need-to-share principle.
The need-to-share principle rules SCISA. This might be regarded as an “Oh, duh” moment, but the problem is that the principle rules in a completely unbalanced way that, among other problems, might have an impact on the very objective it seeks: more effective information sharing in the interests of national security. There are three problems, I think, with SCISA in its adopted form.
The first is the large number of entities listed for participation in SCISA's schedule 3. This list stretches the meaning of the core security and intelligence community to include many entities with only a very marginal role in national security matters. The list can be further shaped by Governor in Council orders that would not necessarily be in the public domain.
Many of the listed entities will be only bit players, at best, in the scheme. The recent annual report of the Privacy Commissioner gives substance to this reality, as he found that in the first five months of SCISA, only five institutions utilized powers in the act. A bigger problem is that while agencies outside the core security and intelligence community might on occasion have valuable information in their possession, they lack the attributes of rigour, methods, and understanding of national security matters.
The SCISA entities listed in schedule 3 should, in my view, include only core elements of the Canadian security and intelligence community. These can be identified and, in keeping with this, the list should be considerably reduced from the 17 named organizations. Moreover, I think there should be a requirement that all listed entities have a common formal memorandum of understanding to guide their information-sharing practices internally.
A second problem is the expansive justification for information sharing provided in SCISA. As noted, the justification found at subsection 5(1) is relevance, which is not, in my view, a tight enough criterion as it does not provide any rigorous guidance and does not allow for any real accountability. Relevance needs to be replaced by some form of language about necessity and should include a measure of proportionality that is linked to mandates and to threats.
The third and arguably the mother of all these problems is the question of how SCISA defines the nature of the information to be shared. SCISA adopts a new definition at section 2 regarding “activity that undermines the security of Canada”, and I know you've heard a lot about that. This is a more expansive and open-ended definition than that provided in the CSIS Act, and I have heard no good argument for the change.
While I appreciate that the drafters of the legislation may have felt that a broader definition of the kinds of threats that now impact on Canada may have been required, on balance the definition they provided does not advance the public interest and has sown confusion and, in my view, many misplaced ideas about the powers provided for SCISA. A replacement use of the definition of threat in section 2 of the CSIS Act advances many of the same objectives, is an established criterion, and would provide greater clarity.
In particular, paragraph 2(i) of SCISA, as it currently stands, introduces a very dangerous dimension to government powers insofar as it opens the door to foreign interference in the domestic politics and sovereignty of Canada. It is also unclear to me how the SCISA definition of undermining the security of Canada operates for CSIS—one of the core agencies in the national security information-sharing regime—alongside its own mandate of threats to the security of Canada differently defined.
Fourth is the need to avoid information overload. Very briefly on this, one reason that it is important to find the right equilibrium between the competing demands of the need to know and the need to share involves the potential problem of information overload. If agencies and departments under SCISA are flooded with information that is ultimately not necessary to national security, not only does this information flood waste resources and personnel and impose additional burdens in terms of information security but it also hinders the overall operational effectiveness that is so important in a security and intelligence system that must constantly adjust its work according to its own calculations of threat and risk and that is always under immense resource constraints.
A too-expansive information system is not a precautionary measure; it can simply be an unnecessary burden. Too much information can be worse than too little.
The need to avoid the information-overload principle cannot be directly legislated. It has to be a product of the proper balance between need to know and need to share.
With regard to the need to secure, although SCISA contains an element of exhortation, particularly in sections 3 and 4, there is no exhortation regarding the related requirement in any information-sharing regime, and in particular in a more expansive system, for the careful protection of shared information. In an age of increased cyber-threats and in the face of the usual human proclivities for error and mishap, an expanded information-sharing regime must be accompanied by greater information-security practices. There is nothing of the sort in SCISA.
One way that such practices can be subject to internal self-examination in the departments and agencies involved in information-sharing is through mandated privacy impact assessments, but I note that in the 2015-16 annual report to Parliament by the Privacy Commissioner, only two of the 17 entities authorized to collect information under SCISA had deemed privacy impact assessments to be necessary. Even in those two cases, the privacy impact assessments, which under Treasury Board guidelines are meant to inform policies prior to their being fully implemented, were still being developed.
Another measure that could be considered in amendments to SCISA would be to provide an authorized role for departmental security officers in monitoring and reporting on information security measures.
Thank you, Mr. Chair. I will try to keep my comments brief so that we do have time for full questions.
Thank you, as well, to the members of the committee and to you, Mr. Chair, for having me back here again.
My name is Tamir Israel. I am the staff lawyer with CIPPIC, the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic. CIPPIC is a public interest clinic based at the University of Ottawa's Centre for Law, Technology and Society in the Faculty of Law. Our mandate is to advance the public interest in policy debates arising at the intersection of law and technology.
We are pleased to have the opportunity to testify before you today on the study of the Security of Canada Information Sharing Act, which I will refer to as SCISA.
As you are aware, SCISA was introduced last year as a central component of Bill . In CIPPIC's view, SCISA constituted one of the more problematic elements of that legislative initiative, and it remains so.
Participation in modern life requires Canadians to entrust ever-growing amounts of data to their government, including sensitive financial, health, and other information. Providing such information to the government does not mean, however, that Canadians sacrifice privacy interests in this data, nor should it.
Core and long-standing privacy concepts such as necessity and proportionality, concepts intended to facilitate threat identification and prevention in a tailored manner, are wholly absent from SCISA, raising the legitimate concern that its mechanisms will be used in a manner that is disproportionate and that impacts heavily on the privacy of Canadians who have done nothing wrong.
SCISA's challenges arise in part from the regime it establishes, but also in part from gaps in the pre-existing framework that it expands and in which it was inserted. I will touch on a few of these problems, addressing specifically the relevance standard, the definition of security threats, and the lack of safeguards, which are issues you've heard of already. I will try to provide additional context and propose some solutions as I go along, some from within SCISA itself and some comprising amendments to additional regimes that come from without.
In particular, while I don't go into it in detail in my comments here, you've heard from many witnesses, as well as from Professor Wark here that the need for an external expert review body is paramount to maintaining the overall proportionality of Canada's national security framework, and that's no less the case with respect to the operation of SCISA in general.
I'll begin with a discussion of the relevance standard. It is one of the two core limiting principles within SCISA's information-sharing apparatus. It is an over-broad standard that's insufficient. Relevance requires the presence of a reasonable basis on which to believe that the information in question relates to, in this instance, the mandate of a SCISA recipient's organization, and to activities that undermine the security of Canada.
Relevance is perhaps the lowest and least-defined legal evidentiary standard. While CIPPIC would hope that a court ultimately interpreting the relevance standard in SCISA, and taking into account constitutional jurisprudence, would impart into it considerations of immediacy and imminence, we are concerned that the standard will be used to justify generalized information sharing.
This is indeed precisely what occurred in the United States with the National Security Agency. In powers newly granted to the NSA in 2006, the relevance standard was inserted as a key limiter intended to ensure the powers in question were employed only in the context of specific and immediate investigations of security threats. This relevance standard, however, was used to expand the powers in question rather than to limit them. Specifically, relevance had been defined to mean any piece of information that may one day be relevant to an investigation, facilitating a domestic dragnet program that involved the wholesale collection of everyday domestic and international call records in the United States on a regular basis.
The reaction of the USA PATRIOT Act co-author, Jim Sensenbrenner, who is a congressman, upon discovering the scope of application arising from this relevance standard, following disclosures by former NSA contractor, Edward Snowden, is telling. I quote:
||“We had thought that the 2006 amendment, by putting the word 'relevant' in, was narrowing what the NSA could collect. Instead, the NSA convinced the Fisa court that the relevance clause was an expansive rather than contractive standard, and that's what brought about the metadata collection, which amounts to trillions of phone calls.”
While Canadian jurisprudence may well arrive at a different conclusion as to the definition of “relevance” in the context of SCISA, CIPPIC is concerned that there is insufficient guidance within the act as it is currently drafted to ensure it is applied in a proportionate and narrowly tailored manner.
On the other hand, we have yet to hear a compelling case for a general departure from the existing exceptions already embodied in the Privacy Act, which SCISA envisions. Under the Privacy Act, there are two existing operative exceptions that agencies can already rely upon when attempting to share threat-related information with other government agencies. Paragraph 8(2)(e) provides an upon-request exception permitting government agencies to share citizen information with investigative agencies, if asked to do so, for the purpose of carrying out a lawful investigation. In addition, paragraph 8(2)(m) allows proactive disclosure of personal information where the government institution believes the public interest in disclosure clearly outweighs any resulting invasion of privacy.
In the government consultation paper currently being discussed as well as in testimony before this committee, the argument is advanced that these exceptions are insufficient, primarily because agencies lacking a security mandate lack the expertise or incident-specific knowledge to fully utilize the information sharing permitted by these exceptions. This may be the case, but it is by no means clear how SCISA's adoption of a highly permissive and open-ended standard will remedy this.
On the one hand, non-security agencies receiving specific requests from security agencies for data under paragraph 8(2)(e) are able to rely on the requesting agency's guidance. On the other, agencies are no better placed to identify the relevance of specific items of information to unknown or unknowable security threats than they are to assess whether disclosure of such specific items will be in the public interest, as they are already permitted to do under paragraph 8(2)(m). In any non-generalized context, the information being shared will need some specific quality inherently indicating its relation to a known threat for the exceptions to apply. Assessments of necessity and proportionality can occur as readily in such contexts as can assessments of relevance.
CIPPIC would therefore encourage two amendments to correct the existing potential overbreadth in SCISA. First, we would replace the relevance standard within the act with one of proportionality and necessity. Second, we would encourage, as we have in our previous appearance before you, an amendment to the Privacy Act that would adopt an overarching proportionality and necessity requirement that would apply across all government sharing practices, regardless of the specific Privacy Act exception under which they are occurring. This would, as we indicated in our previous testimony, apply to information sharing done under SCISA, as well.
The addition of an explicit necessity and proportionality obligation would create a more precise framework for information sharing than that currently embodied in paragraph 8(2)(e) and paragraph 8(2)(m), employing the known standards of necessity and proportionality, which agencies have experience employing in a national security context. Overlapping protection in both the Privacy Act and SCISA would permit the Privacy Commissioner of Canada to oversee protection-related information-sharing practices while allowing other oversight and review agencies to assess necessity and proportionality within the context of their respective mandates. Supplementing these changes, we would encourage training units within different government agencies, potentially within the existing ATIP infrastructure that most government agencies have, to have expertise so that in-house capabilities can be developed to identify threat-related data.
A little bit more briefly, the “undermining the security of Canada” standard is the other key limiter adopted by SCISA, and you've heard some of this from other witnesses. We would concur with the testimony of these other witnesses in raising concerns that this standard is excessively broad. To assist the committee in its assessment of this overbreadth, we would like to provide two examples of how this overbreadth can lead to disproportionate or undesirable information sharing in a few definite contexts.
Specifically, SCISA's definition of security includes cybersecurity and a broad definition of cybersecurity. A single cybersecurity incident, however, can implicate the private information of hundreds of thousands of Canadians. All data affected incidentally by such a cybersecurity incident could be relevant, and the underlying security breach could be viewed as relevant to activities that undermine the security of Canada and, hence, could be subject to exceptions in SCISA. Given this potential for over-sharing, other jurisdictions have sought to address cybersecurity in an explicit manner that is distinct from other investigative contexts, and that specifically addresses these issues.
Additionally, while SCISA excludes advocacy, protest, dissent, and artistic expression from its definition of security, CIPPIC remains concerned that SCISA's security concept remains sufficiently ambiguous to undermine core democratic functions. We have seen government agencies recently targeting journalists, for example, in attempts to identify potential sources attempting to uncover police corruption. We have also seen the targeting of indigenous activists, not on the basis of their participation in protests per se but on the basis that such participation potentially poses a criminal threat to aboriginal public order events.
It is not clear to us that the prevailing exemption for advocacy and protest would exclude SCISA's being leveraged in these contexts for the purpose of preventing interference with public order. We are aware that the opposite conclusion is also possible and that the exception put in place is overbroad and doesn't allow for information sharing, even in contexts where violence may be the issue, but we feel it is sufficiently ambiguous to allow for either interpretation, and that is an ongoing concern for us.
Finally, CIPPIC is concerned that SCISA will be used as an avenue to feed domestic Canadian data into the Five Eyes integrated infrastructure in an unintended and unanticipated manner. CSE is Canada's lead Five Eyes agency and is a legitimate recipient of personal information under SCISA. While the framework under which CSE and its Five Eyes agency partners operate is presented as nominally excluding or limiting the impact on Five Eyes residents, and the permissive powers and activities granted to these agencies presume these underlying conditions to exist, SCISA could undermine those presumptions by allowing another direct avenue for Canadian information to flow into this apparatus.
Turning briefly to the lack of safeguards in SCISA, CIPPIC joins other experts in voicing our concern at the prospect of the nearly limitless post-collection retention that SCISA may facilitate. The Federal Court recently issued, as Professor Wark just mentioned, a decision heavily criticizing CSIS for its ongoing retention of large amounts of Canadian metadata that was not identified as necessary to any security threat and indeed was explicitly identified as not necessary to the resolution of any security threat.
In our analysis, SCISA could be perceived as providing CSIS with a justification for long-term retention of similar data, were that data disclosed to it through SCISA's information-sharing mechanisms. But we also note, more importantly, that other agencies such as the RCMP and CSE lack any form of retention obligations. We would suggest that the remedying of this lack of retention obligation would be best achieved through overarching amendments to the Privacy Act that would apply across all of government and impose an overarching retention obligation.
In addition, other overarching safeguards that could be adopted within the Privacy Act could provide additional safeguards and a better framework for legitimate information within a modified and reduced SCISA. These safeguards could include the adoption of privacy impact assessments and a more robust enforcement of the Privacy Act.
Those are my opening comments for today. I would be pleased to take your questions.
Thank you, Mr. Blaikie. I had the pleasure, once upon a time, of meeting your father. I just wanted to say hello.
There are various mechanisms in place. We're in the business, as you all know, of reforming and thinking about reforming the system. But the place to start with regard to SCISA and making sure that the government can be held to account for how this scheme is operated, even if it's amended, has to be proper record keeping.
Unless there's a paper trail, a digital trail, we'll never be able to do any accountability, and the Privacy Commissioner has made this suggestion in his annual report. That's one thing.
There is an issue of ministerial accountability as well. I note that the public safety minister, in recent testimony to the public safety committee, on the back of the Privacy Commissioner's annual report, said he has sent a letter out to all his cabinet colleagues encouraging them to ensure that all of their departments involved in SCISA are maintaining proper privacy protections. That's a step, but on its own, I think, it's an inadequate step, important as it might be.
So there's record keeping and ministerial accountability. Again, I would come back to the importance, certainly for the broader Canadian public, of transparency provisions that are part of the legislation. There is a mandated requirement to provide an annual public report from the relevant minister, in this case probably the public safety minister, on the operations of SCISA. It should be a meaningful report.
Then finally, there's the question of agents of Parliament and independent review bodies. Agents of Parliament, such as the Privacy Commissioner, clearly have a role to play. The Privacy Commissioner was trying to indicate that he has some resources but perhaps not enough. I know the Privacy Commissioner's office well. It's not my place to speak to it, but it has very limited resources on the national security side.
With regard to independent review, as everyone will know, the problem is that we don't have an all-encompassing independent review system. We have these siloed mechanisms that independently deal with CSIS, are meant to deal with the RCMP on the national security side but haven't yet, and deal with CSE, yet there's nothing for CBSA and many of the other core security and intelligence systems.
I think we're all at the point where we recognize that the system of independent review, which we've inherited over the years, is a legacy system that's not functioning well, and there are various proposals on the table for how to change it.
On top of that, a new committee of parliamentarians, if Bill is passed in Parliament, will be an added element in that picture of accountability.