Congratulations, Mr. Erskine-Smith.
Let's get back to the item before us, colleagues, now that is taken care of.
Colleagues, we are pleased to have with us today in our continued study of the SCISA, otherwise known as Security of Canada Information Sharing Act, from the Department of Transport, Mr. Donald Roussel, associate assistant deputy minister, safety and security group, and Marie-France Paquet, director general, intermodal surface, security, and emergency preparedness. From the Communications Security Establishment, we have Mr. Dominic Rochon, deputy chief, policy and communications. From the Department of National Defence, we have Mr. Stephen Burt, assistant chief of defence intelligence, Canadian Forces intelligence command. There are also all sorts of other support staff in the room.
We thank you very much for being here. It's much appreciated. We've had a lot of testimony. I'm sure you've had an opportunity to review some of that testimony from groups presenting here before the committee. Now it's our pleasure to actually hear from the folks who use the legislation.
We'll hear for up to 10 minutes from each of your respective departments in the order in which you were introduced.
Mr. Roussel or Madam Paquet, the floor is yours for up to 10 minutes, please.
Thank you, Mr. Chairman, for the invitation to appear before the committee. My name is Donald Roussel, and I am the associate assistant deputy minister for safety and security at Transport Canada. I am joined, as you mentioned, by Marie-France Paquet, director general, intermodal surface, security, and emergency preparedness.
I will go through an overview of the mandate of our department, which includes the promotion of safe, secure, and efficient transportation for Canada and Canadians.
To fulfill our mandate, the department uses, updates, or develops legislation, regulations, policies, and standards to safeguard the integrity of the air, marine, and surface modes of transportation for Canada. We also implement programs. We monitor, test, and inspect to enforce the regulations and the standards.
The main groups in charge of promoting security are aviation security, marine safety and security, surface and intermodal security, the security screening program, and security intelligence assessment.
The aviation security directorate is responsible for safeguarding the integrity and security of the Canadian aviation system through a comprehensive suite of legislation, policies, regulations, and security measures. The directorate regulates and conducts oversight of the industry, including airports, air carriers, and airport tenants, and the Canadian Air Transport Security Authority, more known as CATSA, which provides screening services of passengers, their baggage, and non-passengers at 89 designated airports.
The marine safety and security directorate develops and implements policies and regulations promoting the safety and security of the marine transportation system, and conducts related oversight. This includes mandatory reporting of security incidents by industry, and comprehensive safety and security inspection regimes.
The surface and intermodal security directorate manages Transport Canada's rail security program. Guided by the Railway Safety Act, the International Bridges and Tunnels Act, and the Transportation of Dangerous Good Act, SIMS works with partners to enhance the security of surface and intermodal transportation across Canada.
The security screening branch collaborates with security and intelligence agencies and administers the transportation security clearance program to mitigate risks posed by individuals who are potential threats to aviation or maritime transportation and infrastructure.
The security intelligence assessment branch is the departmental point of contact with the intelligence community. It is responsible for analyzing and disseminating relevant intelligence within Transport and to industry stakeholders.
Finally, the emergency preparedness branch, which includes our situation centre, responds to emergency situations, safety and security incidents, natural disasters, or emerging threats impacting the national transportation system. The situation centre operates on a 24/7 basis and works in close co-operation with other government response centres.
On national security responsibilities, I will now turn to Transport's jurisdiction and responsibilities with respect to measures to mitigate external activities that undermine the national security of Canada and describe the safeguards ensuring that exchanges of information are conducted in compliance with federal legislation and policies.
Canada's national transportation system is vital to our economic prosperity and a key national security component that can be undermined by criminal activity, threats to, or interference with this vast and complex system.
Our responsibilities include identifying, tracking and responding to threats to surface—including rail, international bridges and tunnels—marine, and aviation transportation emanating from terrorists, sabotage, or other forms of unlawful interference, such as hostile cyber activity. Our security intelligence assessment branch depends on open source information, as well as classified information from agencies like the Canadian Security Intelligence Service or CSIS, the Royal Canadian Mounted Police, Global Affairs Canada, and the Communications Security Establishment Canada.
Access to security intelligence information allows Transport Canada to effectively and proactively identify and address threats to transportation. Any restrictions or reductions in the quality and quantity of information originating from the agencies with national security responsibilities could undermine our ability to meet or legislate responsibilities and negatively impact the security of Canada.
Transport Canada relies on multiple legislative and policy instruments to fulfill its mandate. These instruments allow the department to implement appropriate policies and regulations, deploy technologies that enhance transportation security, and conduct oversight and enforcement. I will briefly describe some of the legislation that Transport administers in relation to its national security responsibilities.
The Aeronautics Act is the primary legislation governing civil aviation in Canada and authorizes the development of regulations and security measures for the security of aerodromes and commercial aircraft operations. The Marine Transportation Security Act and the marine transportation security regulations provide the with the authority to establish measures and regulations to ensure the security of Canada's marine transportation industry. This includes preventive measures and a framework to detect incidents that could affect vessels or marine facilities.
The Railway Safety Act promotes and provides for the safety and security of the public and personnel, as well as the protection of property and the environment for railway operations. The act has a number of instruments that can be used to promote security, including the issuance of emergency directives and security measures. TC has yet to resort to Security of Canada Information Sharing Act provisions to fulfill its national security responsibilities. Information exchanges occur under existing TC legislation or legal authorities of other institutions, as well as under the Privacy Act.
Regarding information safeguard mechanisms, information on security threats is found in different government institutions. That is why efficient and responsible sharing of information among government institutions is essential to a government's ability to identify, understand, and respond to threats to its national security. I will now describe the mechanisms in place to ensure that exchanges of information at Transport Canada respect Canadian laws and policies.
Since 2012, we have been guided by a comprehensive document entitled “The Transport Canada Intelligence Function Guidelines to Intelligence and Information Sharing”. It has clear instructions on information disclosure, including personal information among Government of Canada departments and agencies. All TC programs involving national security information disclosure include effective tracking systems to ensure privacy rights are respected. Here are some examples on how personal information disclosure is managed in two key programs with major national security implications.
First, the security screening program involves the use of a records management database and a stand-alone network to manage personal information on government employees, as well as workers who require access to restricted areas of ports and airports. Information is collected and disclosed pursuant to the appropriate consent obtained with the applicant's signature.
Secondly, the passenger protect program administered by Public Safety and the application of the Secure Air Travel Act aim to prevent listed individuals from threatening transportation security or using civil aviation to travel for the purposes of terrorism. TC is mainly responsible for delivering the operational components of the program, including sharing the SATA list with air carriers, vetting potential matches identified by air carriers on a 24/7 basis, contacting PSC in the event of a positive match, communicating PSC's decisions to air carriers, and conducting oversight, compliance, and enforcement of SATA and its regulations. All sharing is authorized by and performed within the authorities and scope of the SATA.
Transport Canada identifies a limited number of officials authorized to receive information for exchanges under the Security of Canada Information Sharing Act, and a similar instrument for disclosure is in preparation. Continual efforts, including training, are under way in the department to ensure that the employees are aware of their responsibilities concerning the collection and use of personal information under the Privacy Act.
Sharing information on known threats or to prevent threats from developing is critical. We are committed to doing so in a responsible manner.
I would like to thank you for the opportunity to contribute to your study, and I welcome your questions.
Thank you and good afternoon, Mr. Chair and members of the committee.
My name is Dominic Rochon, and I am CSE's deputy chief for policy and communications. I'll add that I have the distinction of being CSE's chief privacy officer and the delegated authority under the Access to Information Act and the Privacy Act. It is a pleasure to appear before you today as you continue your study of the Security of Canada Information Sharing Act, otherwise known as SCISA.
I’ve been invited here today to clarify the mandate of the Communications Security Establishment, or CSE, and to provide insights into how CSE protects the privacy of Canadians while engaging in activities that ultimately protect Canadians from foreign threats.
For committee members unfamiliar with CSE and CSE's history, I can tell you that CSE has been in the business of protecting Canadians for over 70 years. Protecting the privacy interests of Canadians and persons in Canada has always been integral to the performance of this mission.
Let me first start by explaining our mandate and the work that CSE does to protect Canada. Our mandate consists of three parts, as defined in the National Defence Act. The first part, referred to as part (a), authorizes CSE “to acquire and use information from the global information infrastructure for the purpose of providing foreign intelligence, in accordance with Government of Canada intelligence priorities”.
I emphasize “foreign” because CSE only directs its activities at foreign communications. CSE is prohibited by law from directing its activities at Canadians anywhere or at anyone in Canada.
CSE produces valuable intelligence under part (a) of its mandate. For example, CSE provides vital information to protect Canadian troops in Iraq as they contribute to the global coalition to dismantle and defeat Daesh.
In addition, CSE’s foreign signals intelligence has also played a vital role in uncovering foreign-based extremists’ efforts to attract, radicalize and train individuals to carry out terrorist attacks in Canada and abroad.
The second part of our mandate, known as part (b), authorizes CSE “to provide advice, guidance and services to help ensure the protection of electronic information and of information infrastructures of importance to the Government of Canada”. This part of our mandate authorizes CSE to protect Canada from the growing cyber threat.
Cyber threats used to be the exclusive domain of nation-states. That is not the case anymore, as malicious cyber tools become easier to obtain and the motivations for malicious actors become more diverse. In this rapidly changing threat environment, the services of CSE have become increasingly important.
Across the government, CSE is protecting 700 million connections daily from a user population of about 377,000 people. Every day we block over 100 million malicious attempts to identify vulnerabilities and to penetrate or compromise Government of Canada networks. CSE also shares cyber threat information with Public Safety Canada for further dissemination to the private sector in order to protect the intellectual property of Canadian businesses.
Finally, the third part of our mandate, referred to as part (c), authorizes CSE to provide technical and operational assistance to federal law enforcement and security agencies in support of their lawful mandate. This part of the mandate is important for Canada's national security given that CSE possesses unique skills and tools not found in other government departments, particularly in the area of encryption. We know, for example, that terrorists are adaptive and tech-savvy. They use cutting-edge technology, smartphones and messaging applications to communicate. They also use very advanced encryption techniques to avoid detection.
As a result, the threat puzzle that intelligence agencies try to piece together is not always straightforward and requires co-operation to solve—a reality, in fact, highlighted in the preamble of SCISA. Sharing foreign intelligence and cyber threat information with our domestic partners is crucial to a whole-of-government approach to protecting Canadians. It is by sharing intelligence that we warn the Government of Canada about the intentions and capabilities of those beyond our borders who mean us harm.
When doing so, Canadians and persons in Canada cannot be the focus of CSE's activities, and CSE must apply measures to protect the privacy interests of Canadians included in any information being shared. These privacy measures take the form of rendering Canadian identifying information found in the intelligence being shared unintelligible, leaving it to the receiving Government of Canada department or agency to demonstrate a need for that information and the authority to receive it.
Although information sharing is essential to protecting Canada’s security, CSE recognizes that the sharing of information could potentially touch upon fundamental rights and freedoms, particularly the right to privacy.
I want to stress that, not only is protecting the privacy of Canadians a fundamental part of CSE's organizational culture, it's also enshrined in CSE's mandate. The National Defence Act directs CSE to protect the privacy of Canadians in the use and retention of information.
As such, CSE has multiple policies, structures and processes in place to ensure continued adherence to privacy laws and policies.
These structures include executive control and oversight, operational policies, procedures and compliance measures, an on-site legal team from the Department of Justice, and active ongoing monitoring of internal processes. CSE's privacy framework includes operational policies that set out specific handling processes, retention periods, and sharing guidelines. These policies also allow for the validation, tracking, and auditing of information received.
CSE also provides regular training and testing for staff on our mandate, privacy rules, and compliance. In addition, all of CSE's activities are subject to robust, external, expert review by the independent CSE commissioner. The CSE commissioner, who is usually a supernumerary judge or retired judge of a superior court, has full access to CSE employees and records.
I would also like to add that the CSE commissioner has all the power of the commissioner under part II of the Inquiries Act, including the ability to inspect any records held by CSE and the power to subpoena CSE employees to provide information.
The work of the CSE commissioner has had a positive impact on CSE's accountability, transparency and compliance. It has also led to CSE strengthening a number of its policies and practices. The Office of the CSE Commissioner staff regularly interact with CSE employees when conducting reviews. Since 1996, CSE has accepted and implemented all the CSE commissioner’s privacy-related recommendations.
Though much of what we do is classified, we are committed to becoming more open and transparent about how we protect Canadians' security and their privacy. We know that openness is crucial to ensuring public trust in what we do, and as the government pursues its overall national security agenda, we continue to be forthcoming about our operations.
With respect to SCISA, you are aware that SCISA lists CSE as an entity that can receive information from another Government of Canada institution. I want to emphasize that SCISA does not supersede or expand CSE's authorities to collect or receive information from our domestic partners. To date, CSE has not relied on SCISA to receive or disclose information. CSE's existing procedures and processes to authorize and manage information sharing meet or exceed those set out in SCISA.
When sharing information, CSE currently relies on authorities under the National Defence Act. Information sharing at CSE is undertaken in accordance with the provisions of the Privacy Act. CSE's established information-sharing arrangements are set out in information-sharing agreements with our domestic security and intelligence partners.
CSE may also receive information from Government of Canada agencies under the National Defence Act and the Privacy Act authorities when relevant to its mandate, although the need to receive information is minimal considering CSE cannot direct its activities against Canadians or persons in Canada.
I should add that the CSE commissioner does conduct an annual review of our information-sharing disclosure activities, and to date he has always found that these activities were done in compliance with the law.
I'll conclude my remarks by stating that I am confident in our ability to fulfill our mandate while safeguarding the privacy of Canadians. My confidence stems from both the rigorous legal and policy frameworks in place to protect the privacy of Canadians, and the professionalism and commitment of CSE's highly skilled workforce.
Thank you for inviting me here today. It would be my pleasure to answer any questions you might have.
Mr. Chair and members of Parliament, thank you very for the invitation to appear here this afternoon.
It’s my distinct pleasure to speak to you today about the Security of Canada Information Sharing Act, or SCISA.
Before I speak about SCISA and provide my organization's perspective on it, I'd like to provide some background on the role of my organization because I think it is perhaps not as well known as some of the others.
The chief of defence intelligence, or CDI, is the functional authority for defence intelligence in Canada. The CDI is also the commander of the Canadian Forces intelligence command, or CFINTCOM, an organization with a mandate to provide credible, timely, and integrated defence intelligence capabilities, products, and services to the Canadian Armed Forces, the Department of National Defence, the Government of Canada, and our allies in support of Canada's national security objectives.
Defence intelligence is a key element in the ability of the Government of Canada to make informed decisions on defence issues, national security, and foreign affairs. You can be assured that our intelligence capability is world class, boasting a strong team of dedicated professionals and benefiting from productive relationships with other government departments as well as our partners in the Five Eyes community
CFINTCOM focuses the vast majority of its energy on foreign military threats and support to CAF operations abroad. However, I appreciate the opportunity to discuss domestic information sharing under SCISA and turn now to the subject at hand.
First, please allow me a word concerning our current information-sharing authorities outside of SCISA and the measures we take to protect personal information when it comes into our care. Department of National Defence and the Canadian Armed Forces information-sharing activities are generally conducted under the crown prerogative for National Defence, and we have in place a robust governance regime that includes numerous policies, memoranda of understanding, and other information-sharing arrangements as well as oversight and accountability mechanisms related to the handling of that information.
The majority of the information that National Defence and the CAF share and receive is operational and not personal in nature. This can include information regarding deployed CAF assets, defence intelligence in support of operations such as satellite imagery products, or imagery in support of activities undertaken with foreign defence partners.
However, although SCISA could be used to receive and share that type of information, the Crown prerogative also serves as the legal basis to receive and share personal information in the national security field as part of the mandate of the national counter-intelligence program.
Under this program, the Canadian Armed Forces ensure that threats to the security of National Defence and the Canadian Armed Forces in Canada or on deployments abroad are identified, investigated and countered.
In fulfilling this mission, the Canadian Forces national counter-intelligence unit shares and receives information, including personal information, with police and security intelligence agencies under the auspices of the security intelligence liaison program. Activities conducted under this program are authorized by an internal oversight to ensure compliance and consistency with the national counter-intelligence program's mandate, including that the receipt and dissemination of information is carried out in accordance with National Defence and CAF policy and access to information and privacy legislation.
With respect to SCISA, let me first point out that the act does not create or expand the collection mandates of any federal departments or agencies, including those who use the act. Any information that will be shared with listed departments or agencies will have been collected lawfully and in accordance with the collector's mandate. The type and nature of information that is being shared with listed departments and agencies are the same as they have been receiving in the past. Only the sharing has been facilitated.
The main contribution of SCISA is the following. A department that will have collected information in accordance with its mandate, and therefore for a certain purpose, is now able to share that information with another department, even though the recipient will use it for a different purpose, as long as it is in line with its mandate and the information relates to an activity that undermines the security of Canada.
Further, only the head of an institution listed in the schedule or his or her delegate can receive this information. This is a marked departure from normal business where anyone in an organization can be part of a sharing arrangement. Having the head of the institution involved helps ensure that the requirements will be followed.
At the time of our last communication to the Privacy Commissioner in September 2016, DND and the CAF had not shared or received any information under SCISA. Since then, there has been a single instance in which we shared information under the act.
In addition to the authority found under SCISA, other forms of authority, notably the crown prerogative, can and will continue to be used by DND and the CAF. Note that SCISA does not in any way limit or affect the information-sharing authorities provided under the prerogative. For clarity, this is stated in the act itself in section 8. SCISA does, however, assist other government organizations in sharing with DND and the CAF. For this reason, we remain supportive of SCISA and wish to remain on the list of recipient organizations in schedule 3 of the act.
Should a government institution wish to share information with DND or the CAF under SCISA, we will adhere to the following process for receipt. Discussions with the providing institution will take place to establish whether the information is relevant and within our mandate to receive and whether it relates to activities that undermine the security of Canada. Once received, the information will be examined to determine which internal organizations in DND and CAF should have access to it.
Any information received under SCISA will be assessed in accordance with the requirements of the Privacy Act, the Access to Information Act, and all associated Treasury Board Secretariat policy and direction.
This concludes my presentation.
Thank you for your attention, and I look forward to answering your questions.
It's a complicated question.
In terms of the information we collect in our foreign signals intelligence mandate, we need to make sure that it meets with an intelligence priority as set by the government, that it pertains to international security and defence. That's sort of our staple.
We also have to, obviously, make sure that it's directed at non-Canadians outside of the country. Those are the staples in terms of what it is that we're collecting and the threshold that we're measuring.
From there, we assess that information and then we disseminate it. The litmus test is that our clients in the RCMP, CSIS, and other departments and agencies will then provide feedback to let us know whether that information was useful.
As far as foreign intelligence is concerned, we don't have any investigatory powers. We don't have any powers of arrest. We just provide foreign intelligence, and all of our foreign intelligence is caveated with the fact that it stems from our collection capabilities and what we were able to collect. We're ultimately, in part (a) of our mandate, not assessing. There are other parts of the government that will take our information, fuse it with other intelligence from other parts of the security intelligence apparatus, and then ultimately come up with the assessment.
On Tuesday, we had witnesses who made claims that would indeed be very disturbing if the substance of these claims were true. I'm going to ask you to confirm whether some of the things that were said about threats to the privacy of Canadians, and specifically about SCISA, are correct or not.
A concern was raised about bulk data collection and bulk data sharing between listed recipients, in contrast to a nuanced or targeted collection and sharing approach. I'd like you to comment on what bulk data collection and sharing means, and whether Canadian agencies and organizations do it.
Specifically, it was stated on Tuesday that, under SCISA, there's no limit on data sharing and no oversight. It was characterized as a blank cheque for Canada's national security agencies. It was stated also, as an example, that CSIS could go to the RCMP and ask for all the information it collected under warrants, but once in CSIS's hands, the information would not be subject to the conditions set out in the warrant. It was claimed that Canada hoovers up as much information about innocent people as possible through bulk data collection instead of a targeted approach.
These were some of things we heard in Tuesday's committee meeting. I would like each of you to comment on those claims, and whether these are legitimate concerns about privacy under SCISA.
It's very complicated. I'll give you the response in English that we usually provide.
We use the analysis of metadata, essentially. That, of course, is something that is very much a debate, and I think, for the most part, is misunderstood in terms of the need for metadata. Metadata information, particularly telecommunications metadata, allows us to be able to tailor our collection capabilities, to be able to understand and go after the information that we actually need.
First and foremost, what are our guidelines in terms of what we're looking for? The Government of Canada, cabinet, sets the intelligence priorities. Intelligence priorities are obviously classified, but it's not hard to understand. There is counterterrorism, for example, and when we're supporting military operations, we need to go after information pertaining to that.
The Internet, unfortunately, doesn't have a place where all terrorists go, so we need to understand, as all this information is intermingled on the global information infrastructure, how many pieces of information are being transmitted. We need to analyze metadata. Metadata can be an IP address or an email address, but it can also be when a signal passes from a cell tower to a server to somewhere else. It's through the analysis of metadata that we can then hone our activities and be surgical about what it is that we want to go after, because, as you can imagine, the Internet is incredibly vast. If you actually pause for a moment and try to understand what is actually happening on the global information infrastructure in a minute—how many YouTube videos are uploaded, how many people are tweeting, how many people are using Skype, or texting, or using social media and all of the things that are happening there—it is incredibly complex and incredibly vast. You need to be surgical if you're going to go after what it is that you're looking for.
What I can say, because it's been reported on by our commissioner in the last three years, is this. I'll use a private communication because that's something that's definitive in terms of what a private comm involving a Canadian is. One end is a Canadian. It's a communication that either originates or ends in Canada. That's a private communication.
When we come across a private communication, incidentally—and maybe I'll give you a quick example. I'm not trying to take up your time. If we're targeting bad guy X in country Y, we can't control what bad buy X in country Y is going to do. He might pick up the phone and call you. He decides to call you, and we're actually monitoring and collecting his information. When he does that, he might be calling you to share a recipe for soup, or he might be calling you to say, “Bombing the Parliament Building tomorrow is a go.” In the first example, if we come across a private communication and it has no relevance to international affairs, security, and defence, we delete it immediately. We mark that and we keep track of that marking, and our commissioner reviews and makes sure that we have deleted it and that there is no trace of it in our systems. In the second case, we keep it.
To your question in terms of volume, how many private comms did we keep over the course of a year? The first time that number was published was three years ago and that number was 66. Two years ago that number was 16, I believe, and last year that number was 340. You might be wondering if those are big numbers or small numbers.
As I was explaining to you earlier, just for yourself, for example, how many emails, phone calls, social media.... How many times do you actually use a private comm in a day? Multiply that by 365. Multiply that by the population in Canada, say 39 million, and you'll get an idea that there are billions and billions of private comms transmitting every single year. Of those billions and billions, the numbers in the last three years have been 66, 16, and 340 that we have kept for national security reasons. Hopefully, that gives you an idea of the volume.
No, we're not. Do you want to be?
Mr. Bob Bratina: No.
The Chair: I don't think there's anything here that will be terribly....
I received a letter from the chair of the Liaison Committee asking us if we have any committee travel. The subcommittee of liaison makes priorities and recommends them to the Liaison Committee for parliamentary committee travel.
I do not think we have anything. Should I respond? Unless somebody here has some ideas about a potential trip, I don't think we have anything to submit to the Liaison Committee for a request for travel. Does anybody foresee that?
No, so we'll just have our standard request of the standard committee amount for every study that we do.
Depending on the length of time that we're going to move on to PIPEDA, when we do, if we're going to hear from as many witnesses as have been submitted, we may actually have to ask for some more budget. I'm just letting colleagues know that. We should make sure that we have that discussion when we go to frame the length of any future studies that we have.
In terms of meetings, we have 26 meetings remaining until the end of June, excluding the last two sitting weeks of June, because we sometimes don't know when the House will adjourn.
We have witnesses this Thursday and witnesses next Tuesday for SCISA, and we have nothing booked, as you can see, for Thursday, February 9, and all the way through. We need to have some direction. We can continue asking witnesses to come on SCISA, or we can decide to wrap it up, move on with something else, and then provide some time. I'm getting the sense that we're done with SCISA witnesses, at this particular point. Do we want to bring in the ministers to close, or not? Is there no need? I'm sensing no need.
Then may I suggest that on February 9 we spend that day, or at least a portion of that day, giving priorities and instructions to the analysts for the draft report? Is that fine? Very good.
May I then suggest that with regard to Tuesday the 14th, through to the 16th, because we've already adopted a motion to study PIPEDA, I instruct the clerk to start inviting witnesses to testify on the 14th and 16th? That should give the analysts enough time to prepare a draft report.
When will we be able to have consideration of a draft report on SCISA?