Appearance before the Standing Committee on Public Safety and National Security (SECU) on Public Safety’s Green Paper

October 4, 2016
Ottawa, Ontario

Opening Statement by Daniel Therrien
Privacy Commissioner of Canada

(Check against delivery)

---

Thank you, Mr. Chair and Members of the Committee, for inviting me to appear before you today to participate in your study on Canada’s national security framework.  In particular, I will be focussing my comments on the Government’s Green Paper Our Security, Our Rights, which was recently released.  We will present  our formal response to Public Safety by December 1st.  In the meantime, I am happy to provide preliminary comments on some key privacy issues raised in the paper, in the hope these may be helpful as you prepare to engage with Canadians in several cities across the country.

I note that the stated purpose of the Green Paper is to “prompt discussion and debate about Canada’s national security framework,” which is broader than the reforms brought about by Bill C-51, the Anti-Terrorism Act, 2015.  I fully support the need to review the entire framework.  But to do that in a comprehensive way, the focus cannot be only on addressing challenges faced by national security and law enforcement agencies.  It must also take into account other recent legislation and developments that have had an impact on human rights, including international information sharing and the need to adopt rules to prevent another tragedy like the one lived by Maher Arar.

In order to ensure our laws adapt to current realities, it is important to consider all that we have learned since 2001, including the revelations of Edward Snowden regarding government information gathering and sharing activities, as well as other known risks regarding protection of the privacy and human rights, including those identified during commissions of inquiry, as well recent terrorist threats and incidents.

Information Sharing

In my public statements on Bill C-51, I expressed significant concern with the broad information sharing authorized by the Security of Canada Information Sharing Act (SCISA).  I warned that the lowering of thresholds for sharing could lead to large amounts of personal information on law-abiding citizens being disclosed.  Edward Snowden demonstrated how government surveillance powers can be used on a massive scale.  Unfortunately, there is nothing in the Green Paper which addresses the lowering of legal standards for information sharing.

When C-51 was tabled, the government maintained SCISA was necessary because some federal agencies lacked clear legal authority to share information related to national security.  The Green Paper speaks to complexity around sharing which can “prevent information from getting to the right institution in time.”  These references to the "complexity" of the old law do not explain its shortcomings. Situations where legal authority is lacking can be identified, but so far they have not. I would urge this Committee to ask specific questions to clarify the inadequacies of the previous system.  A clearer articulation of the problems with the previous law would help define a proportionate solution.

Investigative Capabilities

The Green Paper speaks of the challenges of law enforcement getting access to “basic subscriber information,” which is cast as relatively innocuous on the premise that it does not include the contents of communications.  There has been extensive work done by my officials and other technical experts which find this subscriber information, or “metadata”, is far from benign. 

Daniel Weitzner, who founded the Internet Policy Research Initiative at the Massachusetts Institute of Technology, considers metadata “arguably more revealing [than content] because it's actually much easier to analyze the patterns in a large universe of metadata and correlate them with real-world events than it is to go through a semantic analysis of all of someone's email and all of someone's telephone calls.” And the GCHQ, the British signals intelligence agency, has publicly stated that metadata is more revealing for intelligence purposes than the content of communications.

If, as the Green Paper suggests, new legislation is to be informed by the privacy expectations Canadians have about metadata, they should be clearly advised what personal information metadata can reveal about them.

The Green Paper presents a scenario whereby a police officer wants to obtain metadata from an internet service provider but is unable to do so when the investigation is still in its early stages and there is not enough information to convince a judge to provide authorization. While we appreciate it might be useful information to have “at the outset of an investigation”, it is unclear to us why neither the evidentiary threshold required to obtain judicial authorization via production order or warrant nor the exigent circumstances exception articulated in R. v. Spencer, can be met.  I should add that preservation orders can be obtained on a reasonable grounds to suspect threshold, a low standard indeed. We would urge the Committee to probe government for precise explanations as to why current thresholds are unreasonable; and why administrative authorizations to obtain metadata, rather than judicial authorizations, sufficiently protect Charter rights.

A related issue concerns preservation orders and data retention.  The Green Paper describes the 2006 Data Retention Directive issued by the European Union which required telecommunications companies in member states to preserve data for set periods of time.  This Directive was struck down in 2014 by the European Court of Justice in large part because the scope of data to be retained was overly broad, for its impact on ordinary citizens who may have done nothing wrong, and the lack of limitations on access by law enforcement.  Such considerations are similar to those we raised in our comments on C-51.  It would also put such information at risk of data breaches, which are all too common an occurrence.

Encryption represents a particularly difficult dilemma. On one hand, as a technological tool, it is extremely important, even essential, for the protection of personal information in the digital world. On the other, as a legal matter, individuals who use it and companies that offer it to their customers are also subject to laws and judicial warrants that may require access to personal information where legitimately needed in cases where public safety is at risk. The issue is whether it is possible to enable authorized access for the state without creating technological vulnerabilities imperilling the privacy of significant numbers of ordinary citizens. Where it is not, which public interest should prevail?

Accountability

The Green Paper lists accountability mechanisms, including Ministerial oversight, judicial review, Parliament, and review by independent, expert bodies.  On the issue of Parliamentary review, I would note that Bill C-22, which proposes to create a National Security and Intelligence Committee of Parliamentarians, fills the need for democratic accountability, and brings us into alignment with other Western democracies.  I would note, however, that many agencies that have a role to play in national security or public safety are not currently subject to any independent expert review.  This is an omission which needs to be urgently addressed.

As I mentioned, my Office will be submitting a formal written response to this Green Paper, once we have fully analyzed some of its newer proposals. In the meantime, however, I would be happy to answer any questions you may have.   For instance, it would be important to discuss how monitoring of the Internet to prevent radicalization should not create a climate such that ordinary Canadians feel they cannot enjoy fundamental freedoms.

Thank you.