Consultation on Canada’s National Security Framework

Submission of the Office of the Privacy Commissioner of Canada to the National Security Policy Directorate of Public Safety Canada

December 5, 2016

National Security Policy Directorate
Public Safety Canada
269 Laurier Avenue West
Ottawa, Ontario K1A 0P8
ps.nsconsultation-consultationsn.sp@canada.ca

Subject: Consultation on Canada’s National Security Framework

Dear Sir/Madam:

I, along with my provincial and territorial counterparts, would like to take this opportunity to respond to the Call for Submissions issued on September 8, 2016 in support of the consultation on key elements of Canada's national security laws and policies to ensure they reflect the rights, values and freedoms of Canadians. Our Offices oversee compliance with federal, provincial and territorial privacy legislation and, as such, are responsible for protecting and promoting privacy rights of individuals.

Introduction

We note that the stated purpose of the National Security Green Paper is to “prompt discussion and debate about Canada’s national security framework,” which is broader than the reforms brought about by Bill C-51, the Anti-Terrorism Act, 2015. We fully support the need to review the entire framework. Bill C-51 is only part, even a small part, of the national security laws in force in Canada and it would be a mistake to only review the most recent addition to an important edifice. But to do that in a comprehensive way, the focus cannot be only on addressing challenges faced by national security and law enforcement agencies.

National security agencies have an important and difficult mandate in protecting all Canadians from terrorist threats, and we believe they generally strive to do their work in a way that respects human rights. But history has shown us that serious human rights abuses can occur, not only abroad but in Canada, in the name of national security.

In order to ensure our laws adapt to current realities, it is important to consider all that we have learned before and after 2001, including the revelations of Edward Snowden regarding mass surveillance, other known risks regarding the protection of privacy and human rights such as those identified during commissions of inquiry, as well as recent terrorist threats and incidents. Key lessons from this history are that the legal framework should include clearer safeguards to protect rights and prevent abuse, that national security agencies must be subject to effective and comprehensive review, and that new state powers must be justified on the basis of evidence.

Accountability

We are in full agreement with the Green Paper’s statement that “effective accountability mechanisms are key to maintaining the public’s trust in [intelligence and national security] agencies.”^{Footnote 1} However, the proposed creation of a new National Security and Intelligence Committee of Parliamentarians as envisaged by C-22, although a welcome step in the right direction, is insufficient. We note that other countries have implemented an oversight model which includes review by a Committee of Parliamentarians, while maintaining review by experts. While the former provides democratic accountability, the latter ensures that in-depth knowledge of the operations of national security agencies and of relevant areas of the law are applied so that rights are effectively protected. There are, however, still gaps in coverage in Canada by expert review bodies. Of the 17 agencies authorized to receive information under the Security of Canada Information Sharing Act (SCISA), only three are currently subject to expert review. As well, there are other government institutions which have a role in national security, including the Privy Council Office.

The Green Paper notes that in some countries, expert review takes the form of a consolidated model, meaning one review body is responsible for all relevant government institutions – a so-called “Super-SIRC”– whereas in others, different bodies are limited to reviewing one institution or one aspect of national security activities. We have no strong preference between the two models, so long as all government institutions involved in national security are covered. Furthermore, if there is more than one review body, all bodies must be able to collaborate in their review activities, and no longer operate in silos.

Among the models in place around the world is the US model where one body, the Privacy and Civil Liberties Oversight Board, is responsible for reviewing the activities of a number of national security agencies for compliance with both privacy and other human rights. Importing that concept in Canada might mean creating a “fully consolidated model”, where a single body would be responsible for reviewing all government institutions and all areas of the law.

While such a model would have some merit, we believe it is preferable to have the activities of national security agencies reviewed both by the Office of the Privacy Commissioner and either a single or multiple dedicated national security review bodies. This creates some overlap, but it ensures that both national security and privacy can be examined by experts with deep and broad knowledge of both privacy and national security law. Among other factors, there is value in having the privacy impact of the work of national security agencies reviewed by an institution that also reviews the work of other government departments, so that best practices and developments in privacy law can apply across government.

As mentioned, review bodies must be able to share information, including classified and personal information, so that their respective reviews can be performed in a collaborative and effective manner rather than in silos as is currently the case. The detriments to siloed review include duplication of effort with resulting effects on resources, but above all less informed and therefore less effective review by all relevant bodies. Given the OPC’s extensive and ongoing work in this area, it should be included among the review bodies granted the authority to share and receive information.

Minister Goodale acknowledged that the OPC is a “key part of the parliamentary oversight and accountability apparatus.”^{Footnote 2} This reflects the fact that information, including personal information, is a necessary ingredient in the work of national security agencies, many of which call information their “lifeblood.” Currently, the confidentiality provisions of the Privacy Act prevent the OPC from sharing information with other review bodies, such as the Security Intelligence Review Committee (SIRC), the Office of the Communications Security Establishment Commissioner (OCSEC) or the Civilian Review and Complaints Commission for the RCMP concerning ongoing investigations into national security practices. A system which proposes removal of silos between government departments for information sharing purposes in the name of national security must provide for the same removal of silos for the review bodies which ensure their activities comply with the law.

In order to be fully effective, review bodies must also be properly resourced. Greatly enhanced national security activities and initiatives in recent years have resulted in much heightened public concerns about privacy, including mass surveillance, but without any consequential increase in funding for the oversight bodies. For the OPC’s part, it has been forced to risk manage its limited resources, moving efforts from other mandated activities. This is less than ideal. It is also insufficient to produce effective review and privacy oversight, which are essential to maintain trust in national security activities.

The OPC’s research on oversight of security and intelligence agencies has led it to determine that, beyond resourcing, effective review requires meaningful independence from the executive, non-partisanship and institutional expertise, with knowledge of both domestic and international standards and law.^{Footnote 3}

Prevention

The Green Paper indicates the path to terrorism begins with “radicalization to violence,” and describes a number of preventative activities which can be undertaken to counteract radicalization.^{Footnote 4} While there is unquestioned value in community engagement, conduct of research and promotion of alternative narratives, we would be concerned if prevention activities, which include detection efforts, involved widespread internet monitoring. By creating a situation where people feel inhibited or censor themselves for fear that their views may be misinterpreted, they may turn away from using this important tool for personal development and for exploring ideas. There is some evidence this may already be happening: a recent study by the US Pew Research Center revealed that nearly nine-in-ten respondents had heard of government surveillance programs to monitor phone use and internet use and of those, a quarter had changed their online habits.^{Footnote 5}

There is a privacy interest in much that we do online, and the expectation of privacy will vary according to the context: a private “direct message” between users on a social media network will likely engage a greater expectation of privacy than, say, a public tweet. Furthermore, the perception exists that person-to-person e-mails are private communications, however vulnerable they are to interception. The intrusiveness of proposed “prevention activities” must take this fact into account. Overall, while we appreciate that countering radicalization is a legitimate goal, we advocate a balanced approach which limits the potential chilling effect and focuses prevention activities or detection efforts on what reliable intelligence reveals are credible threats.

Domestic National Security Information Sharing

The concerns we have in this area, as articulated in the OPC’s previous submissions to the Standing Senate Committee on National Security and Defence^{Footnote 6} and Standing Committee on Public Safety and National Security of the House of Commons,^{Footnote 7} remain. We recognize that protecting the security of Canadians is important, and that in order to do so, greater information sharing may sometimes lead to the identification and suppression of security threats. However, the scale of information sharing put in place by SCISA is unprecedented, the scope of the new powers conferred is excessive, particularly as these powers affect ordinary Canadians, and the safeguards protecting against unreasonable loss of privacy are seriously deficient.

(I) NEED FOR EVIDENTIARY BASIS

Given that increased information sharing affects privacy and other rights, the justification for SCISA should be made clear. We have yet to hear a compelling explanation, with practical examples, of how the previous law created impediments to information sharing operationally required for national security purposes. When Bill C-51 was introduced in Parliament, the government maintained that SCISA was necessary because some federal agencies lacked clear legal authority to share information related to national security. The Green Paper speaks to complexity around sharing which can “prevent information from getting to the right institution in time.”^{Footnote 8} These references to the “complexity” of the old law do not explain its shortcomings or how it frustrated the government’s national security operations. Situations where legal authority was lacking should be identified, but so far they have not been. A clearer articulation of the problems with the previous law would help define a proportionate solution.

(II) RELEVANCE AS THE LEGAL STANDARD

We remain concerned that SCISA authorizes information to be shared where it is merely of “relevance” to national security goals. Setting such a low standard is a key reason why the risks to law abiding citizens are excessive. Revelations by Edward Snowden have shown how pervasive government surveillance programs can be, including some in place in Canada, and how they can affect all Canadians, not only those suspected of being a terrorist threat. If “strictly necessary”^{Footnote 9} is adequate for CSIS to collect, analyze and retain information, as has been the case since its inception, it is unclear to us why this cannot be adopted as a standard for information sharing for all departments and agencies with a stake in national security. Necessity and proportionality are the applicable legal standards in Europe. European law permits member states to interfere with a citizen’s protected privacy rights only to the extent that the interference is necessary and proportionate in a democratic society.

As an alternative to adopting a “necessity and proportionality” standard for information-sharing across the board, consideration could be given to adopting dual thresholds, one for the disclosing institutions, and another for the 17 recipient institutions. An important point raised by departmental officials during the current review of SCISA by the Standing Committee on Access to Information, Privacy and Ethics is that because front line staff in non-listed departments do not necessarily have the requisite expertise or experience to make real-time and nuanced decisions as to what is necessary and proportional for purposes of carrying out a national security mandate, the onus of the higher threshold would be shifted to the 17 recipient departments that do have the capacity to make such decisions in an informed manner. The Committee discussed the issue of a “dual threshold” and this would appear a reasonable solution under the following condition. In order to close the triage gap between these two different thresholds, the 17 recipient departments should be responsible for selectively receiving and retaining only information that meets the higher threshold of necessity and proportionality (subject to any further limits imposed by their enabling laws), and under a positive legal obligation to return or destroy information that does not.

It should be noted that any changes made or contemplated which involve Canada’s national security activities could affect the European Union’s assessment of Canada’s status as an adequate jurisdiction towards which the personal data of the European citizens can be transferred. According to the European Court of Justice’s decision in Schrems^{Footnote 10}, necessity and proportionality are important considerations to maintain that status. This decision could have consequential implications for Canada’s trade relationship with the EU.

(III) DATA RETENTION

An issue of equal importance which the OPC has flagged in previous submissions is the setting of clear limits around how long information received or shared is to be retained. If the government maintains that the sharing of information about ordinary citizens (such as travelers or taxpayers) to one or more of the 17 recipient institutions under SCISA is necessary to undertake analyses meant to detect new threats, national security agencies should be required to dispose of that information immediately after these analyses are completed and the vast majority of individuals have been cleared of any suspected terrorist activities. This would be in keeping with the recent judgment of the Federal Court which held that retention of "associated data" for people who are not a threat to national security was illegal.^{Footnote 11}

(IV) INFORMATION SHARING AGREEMENTS

We maintain the need for an explicit requirement for written information agreements, as the OPC recommended in the context of Bill C-51.^{Footnote 12} These agreements, far from being cumbersome or unworkable, could be drafted at a level of specificity beyond what the statute provides but still remain general enough to be operationally flexible. They need not be at the individual activity level but rather designed to govern information sharing at the level of programs specific to departments, and could provide more specificity beyond the core standards. Elements addressed in these Agreements should include, as a legal requirement, the specific elements of personal information being shared; the specific purposes for the sharing; limitations on secondary use and onward transfer; and other measures to be prescribed by regulations, such as specific safeguards, retention periods and accountability measures. The OPC has, in the context of Privacy Act reform, recommended that it should be notified of all new or amended agreements to share personal information. The OPC should also be given explicit authority to review and comment, and the right to review existing agreements on request by OPC to assess compliance. Finally, departments should be required to publish the existence and nature of information-sharing agreements between departments or with other governments.^{Footnote 13}

(V) PRIVACY IMPACT ASSESSMENTS

An additional tool to determine whether government initiatives involving the use of personal information raise privacy risks is the Privacy Impact Assessment (PIA), which describes and quantifies these risks, and proposes solutions to eliminate or mitigate them to an acceptable level. At the federal level, the obligation to conduct PIAs is currently at the policy level, and is triggered by a new or substantially modified program or activity.^{Footnote 14} Despite this policy obligation, the OPC was concerned to see how few PIAs were undertaken in relation to SCISA. As such, the OPC has, in the context of advice to Parliament on reforming the Privacy Act, recommended that the obligation to conduct PIAs be elevated to a legal requirement rather than a policy one.^{Footnote 15} This is equally applicable in the context of the proposed reform to Canada's national security legal framework.

(VI) RECORD KEEPING

Our detailed views on accountability appear elsewhere in this document, but at this juncture it should be stated that record-keeping is an essential prior condition to effective review. The OPC’s advice to Public Safety in the context of the SCISA Deskbook was clear on this point: it called for guidance on the content of records that should be kept, including a description of the information shared and the rationale for disclosure.

(VII) DOMESTIC INFORMATION SHARING UNDER OTHER LAWFUL AUTHORITIES

Finally, SCISA is not the only mechanism by which information-sharing for national security purposes takes place.^{Footnote 16} In principle, we are of the view that the safeguards, in particular necessity and proportionality, which the OPC recommended in its review of SCISA should apply to all domestic information sharing.^{Footnote 17} As noted above, under EU jurisprudence and principles of international law, in a democratic society, intrusive state measures need to be rigorously justified as being both necessary and proportionate.^{Footnote 18}

International Information Sharing

One of the most important lessons learned from Canada's anti-terrorism efforts since 9/11 has been that international information sharing can lead to serious human rights abuses, including torture. The existing legal framework must be clarified to reduce these risks to a minimum and must consider the fact that once information is shared with foreign states, Canada has lost control of that information. In the OPC’s submission to the Senate Standing Committee on National Security and Defence on Bill C-44, An Act to amend the Canadian Security Intelligence Service Act and other Acts^{Footnote 19} on March 9, 2015, it cited the Supreme Court of Canada decision in Wakeling v. United States of America^{Footnote 20} which confirmed the importance of accountability and oversight measures to safeguard information shared with foreign states. Absent statutory safeguards, the protection of individuals against the risk of mistreatment would depend on the application of general constitutional principles which have not been defined clearly in the context of information sharing amongst national intelligence agencies.

Parliament also has a role in protecting individuals against violations of human rights. We would suggest that any powers conferred on national security agencies must be exercised in a way that respects Canada’s obligations under international human rights law in general and, specifically, the Convention Against Torture. Clear statutory rules should be enacted to prevent information sharing from resulting in a violation of Canada's international obligations. We note Justice O’Connor’s recommendation that “information should never be provided to a foreign country where there is a credible risk that it will cause or contribute to the use of torture.”^{Footnote 21}

In addition, the Governments of Canada and the United States have developed joint privacy principles in support of the Beyond the Border Action Plan: A Shared Vision for Perimeter Security and Economic Competitiveness.^{Footnote 22} These principles include reference to ensuring accuracy of information, limiting retention of information collected, ensuring relevance and necessity in the collection of personal information, limiting onward transfer of information to third countries, allowing redress before existing national authorities where a person believes their privacy has been infringed and requiring effective oversight. An issue for consideration is importing some of the principles into law. Our concerns regarding information sharing agreements as articulated above apply equally to international information sharing activities. We would urge that minimum content be defined, and that agreements be reviewed by independent bodies including the OPC.

Investigative Capabilities in a Digital World

The Green Paper rightly claims that law enforcement and national security investigators must be able to work as effectively in the digital world as they do in the physical, and that laws governing the collection of evidence have not kept pace with new technologies. However, from these premises one does not proceed to loosen legal rules or lower standards of protection. To the contrary, safeguards which have long been part of our legal traditions must be maintained yet adapted to the realities of modern communication tools, one of which is that these devices hold and transmit extremely sensitive personal information.

A preliminary observation before entering the discussion of metadata: the Green Paper appears to conflate law enforcement and national security agencies, which are two very distinct and separate mechanisms for ensuring public safety. Law enforcement and intelligence agencies have different mandates and work in different environments. Clarity on this is critical since different rules could be adopted for different manners of investigations. Plainly, the context of use for investigative powers matters a great deal to the privacy of individuals.

(I) METADATA IN A CRIMINAL LAW CONTEXT

Metadata, generated constantly by digital devices, can be far more revealing than the information on the outside of an envelope or found in a phonebook, as it is commonly characterized. For instance, metadata can reveal medical conditions, religious beliefs, sexual orientation and many other elements of personal information.^{Footnote 23} The British signals intelligence agency, GCHQ, has publicly stated that metadata is more revealing than the content of communications^{Footnote 24}. In short, it can be highly sensitive depending on the context.

Basic subscriber information, which is a form of metadata, is undeniably useful for investigative purposes. The Green Paper suggests it should be available to law enforcement more easily than under current laws because the police, particularly in the early stages of an investigation, do not have enough evidence to be in a position to satisfy a judge that there is reasonable grounds to believe a crime was committed and that the metadata requested would assist in the investigation.

Bill C-13, the Protecting Canadians from Online Crime Act, in force since 2015, has already lowered legal thresholds for accessing metadata. Under it, a production order for "transmission data", transaction records and location tracking can be obtained from a judge on a standard of “reasonable grounds to suspect”.^{Footnote 25} An order to preserve information or evidence can also be sought on mere suspicion,^{Footnote 26} giving law enforcement more time to find information in order to satisfy a judge on reasonable grounds to believe that an order for the production of the content of communications is warranted. The Criminal Code and the Supreme Court of Canada's decision in Spencer^{Footnote 27} even allow for collection in exigent circumstances with no court authorization at all.

We have not seen evidence why these provisions do not give law enforcement adequate tools to do their job. The government is proposing to further reduce safeguards. It has a duty to provide precise explanations as to why existing thresholds cannot be met and why administrative authorizations to obtain metadata, rather than judicial authorizations, sufficiently protect Charter rights absent exigent circumstances.

In our view, recent cases of metadata collection show that existing standards should, in fact, be tightened and that privacy protections should be enhanced. The past few years has seen extensive coverage and public concern over the operations of the Communications Security Establishment^{Footnote 28}, CSIS^{Footnote 29}, the RCMP^{Footnote 30}, the Sûreté du Québec and the Montreal Police (SPVM)^{Footnote 31} stemming from the collection, use, retention and disclosure of metadata. In many cases, the collection of metadata, including with warrants, involved innocent individuals who were not suspected of criminal activity or of representing a threat to national security.

A modernized law adapted to new technologies must take into consideration the fact that metadata emitted by digital devices can reveal personal information whose sensitivity often exceeds that for which warrants have traditionally been required in the pre-digital world. It must also ensure that the state's modern investigative tools do not violate the privacy of law abiding citizens.

First and foremost, it is important to maintain the role of judges in the authorization of warrants for the collection of metadata by law enforcement. Despite its imperfections, the judicial system ensures the necessary independence for the protection of human rights.

But we also now know that it is probably not enough to rely solely on the judiciary. Indeed, some judges have made this point themselves. In a recent ruling^{Footnote 32}, Ontario Superior Court Justice John Sproat found he did not have the power to impose privacy protective conditions on a production order involving the metadata of thousands of individuals who happened to be within the vicinity of a number of crimes. He said this responsibility rests with legislators.

We also believe that it is incumbent on Parliament to better define the conditions under which the sensitive metadata of Canadians should be available to police forces. These conditions include adopting sufficiently high legal thresholds and criteria for the issuance of court orders, but also, where these criteria are met, adding limitations to protect the privacy of people who are incidentally targeted by a warrant but are not suspected of involvement in a crime.

The criteria precedent to the issuance of orders would include but may not be limited to the burden of proof (suspicion or belief). On the whole, these criteria should provide law enforcement access to metadata where necessary to pursue their investigations but only in a way that recognizes the often sensitive nature of this type of information. For example, it could be prescribed that the collection of metadata should be a last resort, after all other investigative methods have been exhausted. This is already a condition for access to the content of communications and, as stated, metadata can be more sensitive in nature. Similarly, this type of surveillance could be limited to serious crimes to be prescribed in legislation, for instance crimes of violence where public safety interests may outweigh potential risks to privacy.

In cases where those pre-conditions are met, the law should then add conditions to protect the privacy of people who are incidentally targeted by a warrant but are not suspected of involvement in a crime. Judges could also be authorized to issue case specific limitations, where warranted. For example, there could be restrictions on use and disclosure (only for the investigation of the crime for which the authorization is granted) and limits on retention (metadata related to communications that have no connection with criminal activity should be destroyed without delay).

(II) RETENTION

The Green Paper also suggests facilitating police investigations by adopting in law general data retention requirements which would prevent companies from deleting their customers’ data before law enforcement can seek production orders. We note that in 2014, the European Court of Justice (ECJ) issued a decision^{Footnote 33} invalidating the 2006 EU Data Retention Directive,^{Footnote 34} largely on the basis that it entailed a significant interference with Europeans’ fundamental rights without imposing sufficient limitations on law enforcement’s use of the information collected. While the ECJ recognized that the objective of fighting terrorism and serious crime was legitimate, it found that the retention of data for the purpose of possible access by national law enforcement authorities seriously interfered with the right to private life and the protection of personal data, both of which are guaranteed in the Charter of Fundamental Rights (“EU Charter”). Article 52(1) of the EU Charter requires that any limitation on the exercise of guaranteed rights be necessary and proportionate. The ECJ held that the absence of any limit on whose information could be retained or how it could be accessed or used, and the lack of guidance to national authorities in controlling the use of retained data, meant that the Directive entailed “a wide-ranging and particularly serious interference with those fundamental rights in the legal order of the EU, without such an interference being precisely circumscribed by provisions to ensure that it is actually limited to what it is strictly necessary.”

Preservation demands (to hold information for 21 days) and orders (which preserve information for three months) are a current tool under the Criminal Code which can be used. We have not seen evidence why these tools do not work. Introducing a broad retention requirement, not only impedes on human rights, as noted in the ECJ decision, it also increases the risks of breaches to that personal information. Retention requirements, if any, should be scoped narrowly, focussing on serious crime only, and should be for the briefest period of time possible.

(III) METADATA IN A NATIONAL SECURITY CONTEXT

Earlier this year, OCSEC reported on inappropriate information sharing conducted by the Communications Security Establishment (CSE).^{Footnote 35} In short, due to a filtering technique that became defective, metadata was not being properly minimized (for example, it was not removed, altered, masked or otherwise rendered unidentifiable) before being shared with international “Five Eyes” partners—the signals intelligence agencies of Australia, New Zealand, the United Kingdom and the United States. As noted in our subsequent report^{Footnote 36}, CSE shared large volumes of metadata with its international partners, some of which may have had a “Canadian privacy interest.”

The OPC made several recommendations following its investigation into the matter, including that CSE conduct a PIA on their metadata program and that the National Defence Act be amended not only to clarify the CSE’s powers but that those powers be accompanied by specific legal safeguards with respect to collection, use and disclosure in order to protect the privacy of Canadians. While the government maintains that metadata is essential for identifying threats, this case demonstrates that CSE activities related to metadata can affect the privacy of a large number of Canadians, and that these activities should be governed by appropriate legal safeguards.

In another recent case, the Federal Court found that CSIS had unlawfully retained for an extended period metadata that was not “strictly necessary” to its mandate related to threats to national security.^{Footnote 37} In our view, the law should be amended to ensure that where the personal information of individuals who are not suspected of terrorism is obtained incidentally to the collection of information about threats, the former should be destroyed once it has been determined after analysis that individuals have been cleared of any suspected terrorist activities.

(IV) INTERCEPTION AND ENCRYPTION

Context

Encryption represents a particularly difficult dilemma. As the Green Paper sets out in its scenarios, encryption can be a significant obstacle to lawful investigations and even to the enforcement of judicial orders. As a legal matter, individuals who use it and companies that offer it to their customers are subject to laws and judicial warrants, and these sometimes require access to personal information where legitimately needed in cases where public safety is at risk. On the other hand, as a technological tool, encryption is extremely important, even essential, for the protection of personal information and for the security of electronic devices in use in the digital economy. Unfortunately, the crux of the problem springs from the fact there is no known way to give systemic access to government without simultaneously creating an important risk to the security of this data for the population at large. Laws should not ignore this technological fact.

For contextual purposes, it is useful to distinguish between three primary modes of encryption: (1) traditional, which routinely is applied to systems and infrastructure (e.g. internal e-mail or telecommunications networks), where service providers typically hold the cryptographic key, (2) end-device encryption, such as that found on certain handheld devices and computers, where some service providers hold the key, while other firms do not, and, (3) third-party encryption software or applications (end-to-end encryption) which consumers can freely download to their devices, and where typically only the users control the key. It is the second and third encryption scenarios that pose more challenges in terms of how to address the needs of law enforcement.

International approaches

We fully understand the importance of encryption for a wide range of stakeholders – industry, civil society, citizens and police – who all have an interest in the issue. Cryptographic protections are important for online trust, e-commerce and general privacy protections. Therefore, it is not solely a law enforcement or security issue, with which many jurisdictions continue to grapple with options and regulations.

One instructive case for policy makers to bear in mind was a US law from two decades ago which mandated specific technical intercept requirements (the Communications Assistance for Law Enforcement Act). During implementation, in subsequent audits and reports to Congress, it was noted that there were serious cost overruns, administrative difficulties given technical complexities and legal problems stemming from enforcing compliance via inspections.^{Footnote 38} Many technical experts also have noted since that the specifics of the law were soon after overshadowed by changes in technology, network architecture and prevalence of social media.

Other countries legislating in this domain have sought to avoid many of those risks through more flexible regulatory approaches or more principle-base, tech-neutral law. For example, in recent years EU states have taken distinct and differing approaches in policy and law, either ruling out backdoor requirements as too great a risk for data protection and security (the Netherlands), opting to legislate specific powers for investigative orders where encryption is encountered - backed by heavy fines (France), or requiring plaintext from companies pursuant to court orders (the UK). These laws were fiercely debated and met with mixed results.

One factor that greatly impedes the efficacy of such laws is that many encryption tools originate from sources and firms abroad and are widely available, including to criminals and terrorists, so would restrictions primarily affect ordinary citizens with limited knowledge of protection tools? The rapid pace of technological change is also an important issue.

Existing Canadian rules

It should be noted that Canada is not without rules which may assist law enforcement agencies in addressing encryption issues. For instance, assistance order provisions came into force in March 2015 with the Protecting Canadians from Online Crime Act. That legislation empowers a judge to attach an assistance order^{Footnote 39} to any search warrant, interception order, production order or other form of electronic surveillance. These orders compel any named person to help “give effect” to the authorization, and these have been used in investigations to defeat security features or compel decryption keys.^{Footnote 40} The requirements are backed with serious fines and/or criminal penalties. In the US, companies respond to such orders thousands of times a year, as noted in transparency reporting.^{Footnote 41} However, the use of these orders to compel individuals to hand over the encryption codes that they use on their devices raises the possibility of self-incrimination and therefore Charter issues.

It is also important to note that at the federal level, provisions already exist for telecommunications carriers to build in surveillance capability, retain communications metadata and provide decrypted content to government upon request.^{Footnote 42} If these requirements (the Solicitor-General Enforcement Standards [SGES]^{Footnote 43}), which have been a condition of licensing since the mid-1990s^{Footnote 44} are not being properly implemented or enforced, government needs to explain exactly where these standards fall short and why they need modification.

Possible solutions

Parliament should proceed cautiously before attempting to legislate solutions in this complex area. Given the experience and factors noted, we believe it preferable to explore the realm of technical solutions which might support discrete, lawfully authorized access to specific encrypted devices, as opposed to imposing general legislative requirements. At the same time, an open dialogue with the technical community, industry, civil society and privacy experts including the OPC, could provide valuable input; the Green Paper could be the beginning of such a dialogue.

However, if the government feels that a legislative solution is required, we believe that amendments should reflect and articulate the principles of necessity and proportionality^{Footnote 45}, so as to narrow how much information is decrypted, and that such extraordinary measures should be used as a last resort.

(V) TRANSPARENCY REPORTING

Another aspect missing from the Green Paper concerns transparency reporting, which is an important part of ensuring balance and accountability. Since 2009, the OPC has advocated for a reporting regime on personal information disclosures to government by commercial organizations. The OPC has addressed these calls to Parliament, government bodies, companies and industry associations. Its 2013 PIPEDA Reform paper called for a reporting regime to be enacted, as did the Office’s recommendations to Parliament on Bill S-4, the Digital Privacy Act in 2014-2015.^{Footnote 46} These recommendations call upon commercial organizations to be open about the number, frequency and type of lawful access requests they respond to.

In the past few years, six telecommunications companies (Rogers, TELUS, TekSavvy, MTS Allstream, Sasktel and Wind) in Canada each began to publish annual reports which provide statistical details on various forms of customer name/address checks by government, court orders and warrants, as well as emergency requests from police in life threatening situations. These categories are generally described in the reports with specific examples, as well as a description of the applicable legal authorities involved. With the OPC’s assistance, the Department of Innovation, Science and Economic Development has provided an additional set of guidelines to encourage consistent reporting.

Transparency reporting limited to the private sector is insufficient and it is frankly abnormal that government institutions are not legally required to report on these issues, subject of course to limitations required to protect investigative methods. The OPC has therefore recommended strengthening reporting requirements on broader privacy issues dealt with by federal organizations as well as specific transparency requirements for lawful access requests made by agencies involved in law enforcement. There are various models and approaches for developing such reporting. On the public sector side for example, the Annual Report on the Use of Electronic Surveillance tabled annually in Parliament since 1977 (pursuant to Criminal Code section 195) has provided a reporting framework on transparency for very sensitive law enforcement investigations.

Timely, accurate statistical information on government requests and access of personal information – in the form of clear transparency reports at regular intervals – can form the basis for rational consumer choices and build citizen confidence in a growing digital economy and its interface with the state for law enforcement and security purposes. Public debates and decisions on privacy need grounding in facts and legal reality. Good transparency reporting based on evidence can support these discussions.

Conclusion

This exercise stems from a government commitment to repeal the problematic elements of Bill C-51, the Anti-terrorism Act, 2015, a commitment whose objective was to strike a better balance between security and human rights. As stated at the outset, we support the broader approach under which the entire security framework is to be reviewed, because problematic elements of this framework are not all found in Bill C-51. For instance, commissions of inquiry were conducted to review national security activities in the aftermath of 9/11 and have concluded that Canada had violated fundamental rights.

Now that it is clear the government wishes to take this opportunity to consider new state powers, we feel it is important that we not forget the lessons of history. One of these lessons is that once conferred, new state powers are rarely relinquished. While we applaud the government's wish to reconsider recent amendments with a view to strengthening human rights protections, we trust this same philosophy will apply to the potential expansion of investigative tools. Government should only propose and Parliament should only approve such expansion if it is demonstrated to be necessary, not merely useful or convenient, and proportionate. For its part, proportionality will depend on the adoption of strong and effective legal safeguards, standards and oversight.

This consultative exercise is a positive step, and we welcome the opportunity to continue the discussion about how best to ensure that Canada’s national security framework truly protects Canadians and their privacy.

Sincerely,