Good morning, everyone, and thanks for the invitation to be here today. It's a pleasure.
We're studying the Security of Canada Information Sharing Act, which, as you all know, was introduced as part of Bill , and it is now law.
My general concern with the Security of Canada Information Sharing Act, or SCISA, and the Anti-terrorism Act 2015 is that it was essentially it was broad and unnecessary legislation in essence. The entire piece of legislation, including SCISA, was unnecessary, and the justification for it was not there.
Our national security sector is in need of significant change and reform, and we do need to share information. Those things need to happen in Canada, but Bill and SCISA were not the correct responses to address those very real concerns that have been festering away. Mr. Kapoor can talk about some of the commissions of inquiry. We can talk about that, but some of our commissions of inquiry have made excellent recommendations identifying the problems in our national security sector, and for various reasons those recommendations have gathered dust now for 10 or more years, even the O'Connor inquiry.
That's the context in which I put my comments forward.
The other piece is that the Anti-terrorism Act, 2015, which, as you see, is called the “anti-terrorism” act, was styled as an anti-terrorism law and sold as an anti-terrorism law, and that's not what it was. It was and is a broad national security bill, and it's quite far-ranging. We can talk about some of that today in this piece of legislation, and I'm happy to talk about the other elements as well, if you like.
Again, it was not necessary, because what we needed to do was reform a number of things in national security. There were specific and focused items that we needed to deal with, and we still have not dealt with those. The Anti-terrorism Act, 2015 does not address those concerns. In some cases, it actually makes those problems worse and actually diminishes the capacity of our national security services to find threats and neutralize them.
In general, I think Bill and SCISA fail on three essential elements that I like to talk about: legality, accountability, and effectiveness. These are the cornerstone principles that I look at when I'm assessing law.
In terms of legality, that would be a sense of the rule of law, that law and policy need to be compliant with the rule of law and the charter, need to be necessary, and need to be proportional. There needs to be a public justification and an explanation of why we need law, because we don't just make laws that are not required, and we need to be compliant with our international human rights obligations as well. I think ATA 2015 and SCISA fail on legality.
Let's talk about accountability. You're all parliamentarians. All of us went to school here, I assume, and learned about responsible government. To me, that's the nub of accountability: that we have a government that's responsible. Public justification comes into it, so that citizens know why we are doing things. You as legislators explain that and are transparent in that.
Bill lacks that. Public justification is not sound. It doesn't introduce transparency into the national security sector or into the law itself. The public justification in that process itself was a little broken. Again, in terms of a culture of accountability across government and in the notion of responsible government, that culture of accountability also needs to be in the national security sector. That is clearly lacking in Canada.
What we ought to have is an evergreen process of accountability in Canada, in national security but in government generally. I think that would make our national security system work better, be more accountable, and have public confidence, and at the end of the day, I think we'd be safer.
The last piece in my principles assessment, the lens I look at things through in terms of law and policy, is effectiveness. Is it effective? Does it work? I actually think ATA 2015 and SCISA are not effective in getting to what we want. We want a national security system that identifies threats, keeps Canadians safe, and complies with the rule of law and the charter, and so on. They actually don't make things better. They make things worse.
We spend a lot of money on national security. I put it to you that some of that money is not money well spent, because when we talk about SCISA, we'll talk about how we may be chasing red herrings, collecting too much information, and missing the point. That might make people feel safer, but I don't think it actually makes us safer.
We do need to share information and national security—don't get me wrong—and we do need to investigate threats and get at them, but we need to do it in the right way.
Bill and SCISA are not the right way to do this. Again, part of effectiveness is necessity. Did you need this law? I'm still scratching my head as to why Bill was needed. Purportedly, it was in response to the acts committed, one of which was in Ottawa—the killing of Corporal Cirillo—and the other of which pertained to a gentleman in Quebec. Those were terrorist attacks, criminal attacks, but although Bill was sold in that context, there's really no link to how it addresses those issues.
Those are operational problems. We can talk about that, and those need to be fixed, but Bill does not address those incidents of 2014.
Again, I come back to evergreen accountability. When it comes to national security, the first thing we need to do is prevent. The second thing we need to do is investigate. You prevent as much as you can, and that's front-end work. Not a lot of people know that. That's either community relations or working to move people off the road to violence.
If that doesn't work—in some cases, obviously some actors are committed—you want to investigate and interdict. That's where police come in. I have some serious concerns about the CSIS disruption powers, but the police need to be involved in interdiction and prosecution. Then we need to review—that's an important part—and reform, to improve the system.
That loop is the evergreen process that I'm talking about. We do not have that working well in Canada, and that's what we need to think about.
I have three minutes, so let me talk a little about SCISA itself.
As I said, information sharing is needed in Canada. We need to do that in policing and in national security, but it needs to be done right.
Mr. Kapoor is here and Mr. Cavalluzzo was supposed to be here. Mr. Kapoor was involved in the Air India inquiry and Mr. Cavalluzzo in the Arar inquiry. Those are two ends of the spectrum.
As a Canadian of Indian extraction, I can tell you first of all that it was not acknowledged for a long time that Air India was a Canadian tragedy. There was a failure of information sharing and institutional egos. That's one part of the problem.
The flip side is Arar, where reckless information sharing led to disasters.
What we need to do is learn from those lessons and get to the middle. Again, I'm not against information sharing, but it needs to be done right. SCISA is the wrong way to do this. It's overly broad, unbounded information sharing.
I usually use the analogy that if we're trying to catch terrorists, it's like finding a needle in a haystack. SCISA is adding a couple of trailer loads of hay to that pile. God forbid there's a disaster, a terrorist attack or something to that effect, and we find out that we had too much information and that what we needed to look at snuck through. What we really need to be focusing on are the real threats.
I have about a minute and a half left, and I know you're going to keep me to the 10 minutes. I'm happy to talk about the details and I'm sure we will, but I'll close with the broader context.
What we really need to do is reform national security, as I said. One piece of that, as you've heard from others, is review, proper review. I know some of our agencies don't have any reviews. Some do. They're siloed. You've heard all of that.
You've heard Kent Roach, Craig Forcese, and others echo those concerns. I really am an advocate. I believe you have my submissions from Bill previously. I'm an advocate of a unified, independent, national security review agency, the Canada national security review agency.
If there's integration in national security intelligence and operations, you need that counterweight. We can talk in detail about that, but that's one piece that needs to happen, and there are other pieces.
I'll be idealistic and tell you, “Let's repeal the ATA 2015. Let's start again and find those fixed pieces.” If you're willing to do that, I'm happy to work with you on that. If you're not willing to do that, then SCISA really needs significant reform, as do other pieces of Bill . The biggest piece for me is the CSIS disruption power. CSIS should not have those powers, full stop. Those powers should be repealed.
I'll stop there. I'm happy to talk about the rest of it. Thank you for the opportunity.
First of all, thank you very much for the invitation. It's a pleasure to be before you.
I've had the opportunity to read the testimony from your previous witnesses and I hope not to repeat what others have said.
I want to contextualize my remarks and my evidence before you in the following way. Information is the lifeblood of all intelligence agencies. Without information, there's no intelligence. I'll repeat that: without information, there's no intelligence. In order to effectively have a proper security intelligence apparatus, you must have information.
In these times, you all know that we're swamped with information. Everywhere you go, there is information. The government collects an astounding amount of information on every one of you; on every aspect of each of your lives, the government has information. The ability to maintain all these bits and bytes of our lives poses a huge challenge for our society in the private sector and certainly for government in the public sector.
I can tell you that as commission counsel on the Air India public inquiry, I had a front-row seat to a failure of information sharing that had catastrophic consequences. When I led the evidence of the victims' family members in part 1 of our inquiry, as counsel—I do a lot of trial work and a lot of appeal work—it was amongst the most challenging evidence I've ever had to lead. The impact on those folks was real and remains so today. It remains tangible today.
Similarly, although not as commission counsel, I acted in one of the closed proceedings in the Arar matter. I was involved with some of the folks who did that. I can tell you that the failure to have a proper, regulated flow of information has had similarly catastrophic consequences for that person, but not only for Mr. Arar: it also has had catastrophic consequences for the agencies involved, and if the agencies come before you and say it didn't, I'm here to tell you that it did. No agency wants to be complicit in such a thing.
It becomes even more important now when we have a change in administration in the United States. The CIA is a vast organization that collects a tremendous amount of information and floods the intelligence community with information. If that agency begins to be more aggressive, what are our agencies going to do when the information floats into our data set? How are we going to vet it? How are we going to protect against it?
What I'm most interested in is trying to orient this committee, if I can, to take an approach to this legislation that is, for lack of a better phrase, a grown-up approach. This legislation is immature in a number of ways, and I want to underscore particularly this point. None of us wants the agencies that are charged with protecting us to be starved of important, necessary information. None of us wants that, but we all must also want a refined approach to information sharing that, in my respectful submission to you, more properly balances privacy with necessary information sharing. This legislation doesn't. You've heard from my colleagues, Professor Roach and Professor Forcese, and you've heard from the Privacy Commissioner. The evidence of all three of those folks I agree with entirely.
I want to underscore something about one of the problems with this piece of legislation. It is about a lack of accountability. I mean particularly this. As I said at the outset, lots of information is gathered on each and every one of you. Under this legislation, one of the problems is whether or not the phrase “activity that undermines the security of Canada” is constitutionally compliant. In other words, is it so vague that it would be a violation of section 7 of the Constitution?
Leaving aside esoteric notions of legal theory, the practical concern is that vagueness in that legislation is a gateway for bureaucrats to pass information. Also, it's deployed almost entirely by representatives of the executive branch, without any serious prospect that anyone outside the executive would know what's happening or how it's being applied.
For example, not one of you will know that information about you is passed from one of the 17 agencies to CSIS. You just won't know. You'll have no recourse. Even assuming that you had some information somehow, there is no place for you to go with it. There's no specialized review body. There's no court process. There's no way for you to hold the government to account.
I know we have limited time, but I want to conclude my opening remarks with this notion that I urge upon you with as much force as I can: fundamental to any democracy is the ability to hold government to account for its actions. That can mean in court, at the ballot box, at an administrative tribunal, or in a review or oversight body.
However, blind faith and trust in government is not a virtue. Blind faith in CSIS, the RCMP, and all of these other agencies is not a virtue.
Instead, each one of you must have at your disposal the ability to call government to account for its excesses. Given the ubiquitous nature of information and the extent to which it reveals our tastes, preferences, and inner thoughts and beliefs, any regime that authorizes the sharing of information must be refined to regulate sharing that is necessary to protect national security. All of this requires—in my respectful submission to you—more conservative definitions and a more conservative approach to protecting information and ensuring that information that's necessary is delivered to the agencies so that they can discharge their duties.
In closing, then, the relationship between the citizen, his or her information, and the various government agencies is something that needs to be recalibrated in this piece of legislation.
There are a number of different ways it can be done. You have heard from some witnesses who have indicated changes in definitions. Those are all useful. I appreciate, though, that it may be beyond the remit of this committee. The notion of an independent reviewer is necessary, as well, as part of the framework of oversight and review in the national security environment. A committee of parliamentarians also may be able to do some work in this area, depending on how that committee is structured and staffed.
Really, in this moment when we have such upheaval around the globe, when various intelligence agencies are forwarding information to our intelligence agency, and when information is being domestically being harvested, we cannot not take this opportunity to apply a rigorous standard. If we don't, sadly, what might happen are events like the two horrific events that have happened already: Arar for the agencies and for Mr. Arar, and Air India for all of those folks.
Those are the comments I wish to open with.
Again, I thank you very much for the opportunity to address you.
Thank you for the question.
I think the bill itself—or rather, the law now—was so fundamentally flawed that whatever redeeming qualities it might have had were outweighed by the flaws. I usually use this example. If I bought a house that had a crumbling foundation, I wouldn't throw a few coats of paint on and say, “Let's keep this.” I'd say, “Let's start again.”
Let's go through some of the essential elements of Bill .
The CSIS provisions give CSIS secret disruption powers to essentially disrupt people's lives and take actions that could result in disasters, as Mr. Kapoor said. They are a non-starter in a democracy. Things could happen to people, and they would never have legal recourse. They happen in secret. They would never see the light of day.
In a criminal context, police get warrants and they do have secret wiretaps, but ultimately it sees the light of day. You have a day in court. That's essentially our system. When the state acts against you, you have the right to defend yourself. When CSIS acts against you under these disruption warrants, you will never know and you will never have the right to defend yourself. Whether you're guilty or innocent, you won't have a shot to defend yourself.
Let's talk about promoting and advocating terrorism. First of all, the definitions in there are loose to begin with. The Criminal Code already has always had counselling offences, so when you're involved in criminal activity and encouraging it, you can be caught.
The Anti-terrorism Act, 2001 introduced criminalized actions that were removed from action, such as facilitating terrorism or encouraging someone to start committing a terrorist act. I had critiques about that, but it was still close enough to the act. In criminal law, what you want is to criminalize the act. Terrorism is essentially violent acts. They want to kill someone, so let's say it's killing someone. If I facilitate you to do that by encouraging you, giving you money, talking to you, I can be caught there. As a democratic society, we want to capture the act or something close to the act. If we get far from the act, we're starting to stray from our criminal law and democratic principles and we're starting to criminalize speech. What I learned in law school is that you don't pass redundant laws.
In the Anti-terrorism Act, 2015 we already had facilitating, which is close to the act. Then this must be something further removed from that, so now we're getting very close to criminalizing speech. I'm not saying I support people who say things that encourage terrorism. Of course, we all condemn that, but we live in a society where we tolerate some of that offensive speech.
The Immigration and Refugee Protection Act amendments in Bill essentially rolled it back, and Mr. Kapoor can speak to this in more detail because he is a special advocate. The Charkaoui decision said that in the security certificate process, secret proceedings where a judge sat alone with a CSIS lawyer were essentially unconstitutional. They introduced special advocates to represent the interests of the named party on the security certificate. Bill essentially rolls that back. IRPA was amended to say that the special advocates don't have access to all the information. It kind of undoes what the Supreme Court has told us.
Those are three pieces of it.
Let's talk about the no-fly list. We can debate till the cows come home whether no-fly lists—
I concur with my colleague's comments. How do we find reliable information? That's what ought to be shared. That reduces the hay pile, for one, so we can get at the needles. The other piece is that then we avoid mistakes.
I'll give you some hypotheticals. Let's look at the definition, as Anil's pointed out. The real risk is that we've cast the net so wide when it was styled as “terrorism”. Terrorism is item (d) here. That's not even a Criminal Code offence, so that's something that needs fixing. Let's assume that's one piece, and we can agree with that. Nuclear proliferation and all of those are fine. Those are national security issues. However, then it's so broad that it's open-ended. Who hits the national security radar? If you see my submission, that little chart shows whole-of-government information sharing, so all these disparate decision points across government are making a low-threshold test to put information into this bucket. Someone may say, “Well, I have nothing to hide”, but in today's world, with data management....
Let's use my Saudi example. You're involved in trying to get Raif Badawi out of that hellhole in Saudi Arabia and you go to protests. The Saudis' intelligence says, “Some of these people are causing trouble for us.” Obviously they have a very low threshold of what's undermining their state security.
These countries usually see everyone as a terrorist. You or I are going to a protest, starting a petition against Saudi Arabia, boycotting Saudi oil or something, and we get picked up on their radar, so now we're in this bucket of data. It isn't just that piece of information, but it's the data crunching now as well, because it's whole of government. Now somebody might say, “Well, you know what? I've flagged someone of some suspicion at that low threshold, so let's see what else. Let's see what FINTRAC has on this person.” Those points are then put together and may create a false positive suspicion, so it's not clear, but there's a lot of data mining and data crunching going on through analytics.
Then we may share. This is the Arar-type situation. We may then say, “Here's the Saudi threat profile of protesters in Canada, and let's share it with the United States or with Saudi Arabia.” Then, after the fact, we may say, “Well, this was a mistake.” In our case, the agency may say, “Well, Ziyaad's cleared; expunge him from our CSIS database.” First of all, you're now in a bunch of other Canadian databases, so who's controlling that? The rules on retention and expunging are not clear. They're not even not clear; they're not there.
Then the other piece is, who's reeling back the information? In today's world, you see what a tweet does. You can't reel back a tweet, and this is much worse than a tweet. The worst thing would be if your name shows up and you're flagged and you go somewhere. Arar showed up in the U.S., and he was sent to Syria. Many Muslim Canadians travel to Saudi Arabia for a religious ritual, but if you now show up and land in Saudi, everything's integrated. Your passport's scanned and you're red-flagged there, and there's a real risk you won't just be sent back: you're going to be kept there, and that's worse than being sent back.
Those are the types of risks with data mining and harvesting all sorts of information under this very broad definition. What does “undermining the financial stability of Canada” mean? We make the debate about people who are involved in activities that criticize Canada's policies or whatever, and that's fine. We should have that debate. My worry is that this definition is going to put all sorts of innocent Canadians onto the national security radar when they should not be.
That's a tough nut to crack, because I'm not an IT guy. I'm an Indian guy, but I'm not an IT guy; I'm probably one of the only Indian guys who doesn't know anything about computers.
Voices: Oh, oh!
Mr. Ziyaad Mia: I think the one of the solutions is to have a sort of centralized control over it. I recommended in the submission that there needs to be some centralized control of information sharing. The departments could do their piece, but somewhere in government—maybe in Public Safety—there would be someone overseeing all of this. The Privacy Commissioner and SIRC and everybody will do their audits, and we're calling for a national security review agency. Those will be the watchdogs, but someone in government needs to be shepherding the whole thing by asking what's being shared, what are the thresholds that are the same across government, and then asking, “Are we doing this and is it consistent?” Then if there's a false positive or something, that person or that entity within government would be able to issue instructions across government to say, “Search your databases for this record and this person and remove that information.”
It's not a fail-safe method, because government is so huge and people forget and whatnot, but it still leaves us with the real problem back in the world, because if it has left here and has gone to the Five Eyes or to Saudi Arabia, we'll never get it back. We have no control over how they deal with that information. We don't even have control anymore to tell them that they have to use that information “relevant to these issues”. They could use it for some other purpose completely.
I think there's a possible fix, but in today's big-data world where there is so much information, it's very hard to clean that up. I think one attempt would be a centralized review, and then a way to issue instructions across government.
Take, for example, the no-fly secure air travel passenger protect program. I don't even know what's happening, because it's shrouded in secrecy. We can debate about whether it works, but let's say you get the passenger manifest and you check for the names. If none of the names are on the flight and the flight lands safely, why should that information be kept?
I remember Bill years ago, when they introduced the regulatory framework for the no-fly list. That information could be shared around and kept indefinitely. I do not want the travel data of all Canadians flying on Canadian airlines kept in government databases to then be mined for travel patterns. We know that CSIS and CSE have played funny with metadata and and have crossed the line.
You have metadata and travel patterns, and you might be pulled in here now. You can see that all of this is there in government databases, and the preamble to the act says that there is the ability to collate. That, to me, is data mining. That's what it's enabling. Clearly, that's what part of it is. We do need to do some of that, but again, the net is cast so widely.
My starting position is that Canadians' privacy needs to be protected. If the government doesn't need to have information about you to do business with you—to vet your taxes or your health records—they should not have it as a starting point. If they have collected it in this process of security screening, once you're not a suspect or the flight has landed, etc., they should expunge that information. That's how we minimize the databases and avoid errors.
I'll try to be quick without going through the whole list.
I think the amendments were essentially on lawful advocacy. I believe there was one other amendment, and it was to section 6, which says that information can be shared for any purpose. The complaint I had was that this was essentially completely unwarranted, even in this broad act. Once the recipient agency has it, it can then be shared anywhere, including with foreign agencies, for any reason. There was some amendment to that.
I don't think those amendments essentially changed the core of my concerns. I'll just quickly go through them.
The word “lawful” was dropped on the advocacy. That is fine, because the complaint was that people can be unlawful but not violent, just civilly disobedient, and do we want to pull those people into the national security net? I don't think any of us want to do that.
I believe that Professor Roach and Professor Forcese raised the issue of violence. I concur with them that you need to clean that definition up to make it a little tougher. It's a little loose now. It needs to mirror the Criminal Code's lawful exemption, where advocacy, protest, and dissent that are not violent are covered. They could be unlawful but not violent, and we would all probably agree on that.
I don't think the other amendment on section 6 actually changed anything. Some words were changed to say that sharing is neither allowed nor prohibited but must comply with law. The question was, which law? The green paper's legal interpretation of the Privacy Act is that SCISA is a lawful authority to override the Privacy Act. Essentially, section 6 still says that you can share with anyone, and it's not even linked to the purpose of SCISA anymore.
Essentially, those are the two amendments. I don't think they change my concerns with the bill.