Friday, June 23, 2017

In an analysis in Policy Options magazine, Prof. Kent Roach and University of Ottawa professor Craig Forcese conduct a detailed assessment of Bill C-59, An Act respecting national security matters, recently introduced by the federal government to reform Canada’s national security law ("A report card on the national security bill," June 22, 2017).

Read the full article on the Policy Options website, or below.

On this subject, Roach and Forcese also published "The roses and the thorns of Canada’s new national security bill" in Macleans magazine, June 20, 2017.


A report card on the national security bill

By Kent Roach and Craig Forcese

June 22, 2017

Bill C-59 is the government’s massive reform of Canada’s national security law. It is the real deal: the biggest reform in this area since 1984, and the creation of the Canadian Security Intelligence Service (CSIS). It is a big deal: 150 pages. We have been pouring through it, contrasting its features against the views we expressed in our 2015 book, False Security, which addressed the Stephen Harper government’s controversial Bill C-51.

We have not finished reviewing it yet, but we want to make observations and raise questions and issues in the hope of galvanizing discussion and commentary. Where we misstate, overstate or err, we appreciate feedback. So, this is a mid-term assessment, not the final grade.

Review of national security conduct

Grade: high honours

Bill C-22, creating a national security and intelligence committee of parliamentarians, has now passed through Parliament. Bill C-59 addresses one thing that C-22 left unaddressed: a revamp of our system of expert national security review. Tuesday’s Bill will create a new national security and intelligence review agency (colloquially called a “super SIRC” after the Security Intelligence Review Committee, CSIS’s current review body, which will become the new review body). The critical difference and improvement is that the new review body can “follow the trail” by examining the national security functions of all government departments.

The new review agency will have broad access to information, including material prepared by lawyers. This is notable: Government legal advice may be critical (and perhaps wrong) in determining the ambit of security powers. Like SIRC, the new review agency’s only limitation on information access will be to Cabinet confidences.

The proposed review agency will also hear complaints, but only against CSIS, CSE and the RCMP (in relation to national security matters). In an interesting twist harkening back to the old CSIS Inspector General (abolished by the Harper government), the Bill allows the review agency to tell a department to carry out reviews of the legality and reasonableness of the department’s own measures, and its compliance with ministerial directives. This could be a valuable instrument that combines internal self-regulation, ministerial oversight and external review.

The new review body is welcome, and will be state-of-the-art in terms of the law. But much will depend on the resourcing of the agency and those who are appointed to it. There are provisions for the prime minister to consult with party leaders about appointments to the agency, but commanding public confidence will require more than simple consultations among political leaders. It will require credible appointments and robust resourcing and staffing. Tackling whole-of-government review will be a big challenge, with inevitable teething pains: suddenly a number of government departments never reviewed before will be subject to scrutiny.

Communications Security Establishment

Grade: Pass on CSE mandates, with a potential for a high honours on accountability.

The CSE overhaul is massive. CSE’s mandate is expanded – with the headline change being a new “active” (aka, offensive) cyber ability: “activities on or through the global information infrastructure to degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group as they relate to international affairs, defence or security.” (This may be directed outside Canada and at non-Canadians only).

For those concerned that C-59 is a security roll back, the active cyber roles are a real change in an area long neglected in law. C-59 updates the law in a dynamic area that is growing in importance. CSE also keeps its mandate in “cybersecurity” – a separate concept relating to a somewhat more passive cyber protection of government (and other important) information systems.

We have some questions about CSE’s mandates. For instance, CSE retains an electronic (or signals) intelligence-gathering role. But then, why does the Bill suggest CSE’s intelligence function might include “modifying, disruption, deleting…anything on or through the global information structure”? This blurs the line between intelligence gathering and active cyber activities, otherwise segmented by different legal rules in the Act.

Overall, the limits on active CSE cyber conduct seem too permissive. The CSE cannot cause death or bodily harm to an individual or obstruct justice, which is welcome. But there is no limitation on causing the loss of, or any serious damage to, any property that might in turn endanger a person. Bringing down a power grid, for instance, may not cause bodily harm, but it could endanger public safety. So too might bringing down and disrupting a person’s cell phone or computer in a particularly dangerous part of the world.

A major issue is how the Bill proposes dealing with the accountability challenges that have plagued discussions of electronic intelligence since the Snowden data-dump in 2013. There is a lot of misunderstanding in this area. CSE has not been allowed to direct its foreign intelligence and cybersecurity activities at Canadians or persons in Canada. But because of the nature of the Internet, information produced by Canadian communications may be swept up in these activities. The controversial issue has been the following: given that incidental collection is inevitable, does the Constitution require that collection first be authorized by a judge? (This is the issue at the core of the BC Civil Liberties Association lawsuit against CSE.)

Bill C-59 takes a kick at the can in resolving this dilemma. Overall CSE review will now be performed by the new whole-of-government review agency. This will facilitate review when CSE works with CSIS or other government agencies.

The Bill also introduces front-end “oversight” (that is, an authorization system) in the form of an intelligence commissioner, a retired judge. The commissioner will bless (or not) ministerial authorizations for certain foreign intelligence and cybersecurity activities or classes of activities. He or she will approve types of operations, rather than specific activities, and so they are not true warrants. But those ministerial authorizations in turn must include safeguards about how information is incidentally collected. Again, resourcing and staffing will be key.

But here’s our uncertainty: when does CSE need to obtain a ministerial authorization, that is subsequently vetted by the commissioner. For intelligence and cybersecurity activities, the threshold is when the activity would contravene “any other Act of Parliament.” And that is the only legal trigger we can find actually embedded in the Act, and requiring a trip to the intelligence commissioner. We fear this is ambiguous. Based on past legal interpretations, we doubt it will automatically reach the collection of so-called “metadata” – eg. phone numbers, call duration, email addresses, cellphone location data – that may have Canadian content. We think this may be a bug in the Bill, and not a feature. And we think it could be fixed with a handful of words in section 23(3) and (4).

The CSE changes also prescribe rules on the subsequent sharing of information that may identify a Canadian – a thorny controversy over the last few years. Some of the changes seem to codify internal working procedures on this issue, which is welcome. But there appears also to be some effort to comply with Supreme Court jurisprudence on the Charter and the sharing of information that was collected though invasive surveillance, which is most welcome.

But there are some curious omissions. On the issue of retention and sharing of CSE-collected information, the intelligence commissioner is excluded from performing an oversight function of some sort. Should there not be oversight safeguards for the use and sharing of information that originates from Canadian communications?

And while the Commissioner will be busy overseeing information collection during CSE’s intelligence and classic “cybersecurity” functions, we note he or she appears to have no oversight role in relation to active (and the related “defensive”) cyber operations.

There is a lot more to say in this area, and our copy of the Bill is marked with queries, arrows and questions. But, overall, Bill C-59 seems to be grabbing the bull by the horns on accountability, with a bug or two that we hope can be easily fixed.

CSIS

Disruption powers – grade: high honours, but with caveats

Bill C-51 was widely criticized for the open-ended new “threat reduction” powers it gave CSIS – the ability to intervene physically to reduce threats to the security of Canada. The big issue was that these powers were only restrained by prohibitions on bodily harm, violations of sexual integrity and obstructions of justice. CSIS could conceivably breach any Canadian law or even the Charter – if approved by a secret, one-sided, Federal Court warrant process.

Bill C-59 reins in those powers. It adds a bar on torture, cruel, inhuman or degrading treatment, detention and serious property damage endangering a person. We do not believe CSIS ever wanted this authority, and so this is both a principled and entirely rational change.

Bill C-59 stresses (repeatedly) that threat reduction powers must comply with the Charter, and it provides a closed list of what those powers are: altering or disruption communications and goods, fabricating documents, disrupting financial transactions, impersonating persons, and interfering with persons’ movements. This approach allows the government to argue that threat reduction powers are prescribed by law and are a reasonable and justified limit on Charter rights.

One power – interfering with movements – causes some concern. Does interfering with someone’s movements under the guise of threat reduction mean a citizen can be denied reentry into Canada on terrorism grounds? If so, are the safeguards in the present Bill enough? Trapping someone in Syria may cause bodily harm.

Generally, the list of items that CSIS can do with warrants requires careful parsing. But the system of a closed list of items for which warrants will be sought, with greater limits on the outer reach of CSIS powers, seems to us to be the most viable means of putting the whole system of a viable constitutional footing.

Immunity provisions – grade: pass

This section is exclusively about intelligence gathering – not threat reduction. CSIS undercover intelligence activities have always involved infiltrating plots in a manner that might violate one or other criminal law. The police have similar issues – and they are immunized for their conduct in section 25.1 of the Criminal Code. The latter was controversial when it was enacted. But some degree of immunity is needed if we expect officers (and their sources) to do their covert work infiltrating plots and terror groups and being effective in that function. They may need, for instance, to give money to a terrorist in their pretend role. That risks being a crime, without an immunity safeguard.

CSIS has classically relied on Crown immunity for protection. This is a nonstatutory common law concept. So, the whole process has been clothed in secrecy and never reported, because there was no statutory explanation of the immunity. Nor was there any external oversight of any sort, by a court or otherwise (except if CSIS, while seeking a warrant for an invasive search, had to disclose the potential for breaking a law).

C-59 changes that, probably because it is not clear Crown immunity extends to mere sources who are not true agents or employees of the government. The Bill puts everything into black and white, in written legal text. In doing so, it follows section 25.1 of the Criminal Code in establishing an internal system within CSIS for approving conduct that would otherwise break the law. It also has a public annual reporting requirement: namely data on the frequency and nature of the law-breaking. It improves on section 25.1, though, in lengthening the list of no-go areas: things the CSIS officer or source could never do. This is the same no-go list as proposed for threat reduction, described above.

It also enlists the intelligence commissioner to approve the class of activities for which CSIS officers may have immunity. This is not direct operational oversight, but instead signs off on a general list of acts or omissions that would otherwise be criminal. We assume that the Federal Court will continue to have eyes on these issues, to the extent they arise when CSIS seeks a warrant for invasive searches or disruption activities. Also, there is also the prospect of review, after the fact, by the new review agency.

A power by any state agent to break the law makes us nervous. On the other hand, aspects of that power have always been exercised under murky common law Crown immunity. Some of the crimes for which immunity is provided, relating to forgery and maintaining a false identity, seem essential to covert operations. Alas, we simply cannot say whether the measures proposed here are more sweeping than those used in the past – because we do not know what happened in the past. Still, we are inclined to the view that there are more checks and balances. There is certainly more transparency.

Where we worry most, however, is how this new immunity concept will interface with threat disruption. Legally, these are separate regimes. But how will this work when a CSIS source in a terror group, benefiting from the immunity provision, morphs into an agent doing actual threat reduction by impersonating persons or fabricating documents? In relation to certain, listed threat-reduction activities, we assume it means a prompt trip to the Federal Court (which may exert more limits on activities than the new immunity regime proposed in section 18.2 of the CSIS Act).

Datasets – grade: pass (with the potential for a high honours after we are able to see more details)

Bill C-59 responds to a fall 2016 Federal Court landmark ruling. It found that for 10 years CSIS had illegally stored information derived from some of its wiretaps. The new Bill creates broad new provisions authorizing the collection, retention and use of “datasets” – electronic databanks compiling information on a common subject. Some of these datasets will have information on Canadians, and others will have primarily foreign information.

These datasets may not relate directly or immediately to threats to the security of Canada – they may be collected as long as their use is relevant to CSIS’s duties. This standard is more permissive than the current rules in the CSIS Act on use and retention, although there are also expectations than some especially sensitive information (such as solicitor client information) will always be deleted.

With new powers, though, comes a complex new accountability framework. Most importantly, the types of Canadian information datasets that CSIS may collect will be approved first by the minister and the intelligence commissioner. CSIS may then collect such datasets, if this activity falls within its intelligence collection mandates. Then, if CSIS wants to keep the dataset, it must go through a second process. This time it needs ministerial and Federal Court approval. That approval can set conditions on how the information may be retention and used. Indeed, the Federal Court may prescribe rules on the searches than can be run on the datasets. To be clear, CSIS will not need separate approvals for each search, but having a court set ground rules is a novel and welcome development. In so doing, we think it probably sidesteps inevitable Charter issues. This is getting into high pass territory.

However, we find that we simply do not have a detailed enough understanding of the datasets involved to come to a firm conclusion. So we are a bit lost on the practical implications of all this information in the hands of CSIS.

Police powers

“Preventive detention” (“recognizance with conditions”) and peace bonds grade: pass

Bill C-51 made it easier to make preventive arrests and also to obtain regular peace bonds (it is important to realize these are two separate things and that they have been around since 2001). Preventive arrest permits warrantless detention without criminal charge. The system may then allow continued detention for up to seven days, under court supervision, pending the imposition of a peace bond. (Before C-51, the maximum detention period was 72 hours.)

A peace bond is basically a restraining order – it does not amount to imprisonment, but instead includes other strictures on liberty (for example, wearing an electronic bracelet).

There is also a separate and different peace bond system in the Criminal Code. Again, this allows restraining orders. But there is no preventive arrest – any arrest must be with warrant.

Preventive arrest and detention has never been used. Regular peace bonds are now commonplace.

With C-59, regular peace bonds remain largely untouched, with some new annual public reporting requirements.

Preventive arrest sees some modest changes. The amendments in Bill C-59 would retain the existing test for preventive arrest, but change some of the thresholds in this test. The test has two stages. First, the arresting officer has reasonable grounds to believe that a terrorist activity may be carried out. The second stage requires that the peace officer “suspects on reasonable grounds” that the arrest or peace bond “is necessary.” This “necessary” language replaces C-51’s more permissive “is likely to prevent” the terrorist activity. This is a minor change that is difficult to assess – these powers have never been used since they were first created in 2001. We think they would never in practice be used, anyway, except in true emergencies likely to meet the “necessary” threshold. That is because preventive arrest blows the cover off a covert investigation. And without that covert investigation, you may not be able to unravel a conspiracy. And so, once you arrest someone and preventively detain them, it will likely be because there is an emergency that precludes more conventional police work.

Still, we worry that the seven-day maximum preventive arrest time remains in place. That is a long time to hold someone in prison because you merely suspect them without having the basis for criminal charges – regular criminal law would never allow them. And it is a long time to be questioned by police while detained. There has been no effort in the statute to regulate the sort of questioning police may undertake during this time. (Although a detention would be supervised periodically by a court).

Preventive detention is an enormously controversial concept and should always be carefully hedged-in with safeguards. It is the kind of thing that drove many of the controversies at the origin of our legal system. We think there might be room for it in true emergencies, but have been persistent in clamouring for more checks and balances. We will keep at it.

Investigative hearings grade: high honours

Investigative hearings are repealed. These hearings were supposed to be about secretly compelling persons to provide information useful to terrorist investigations. The procedures were introduced after 9/11, but were never successful. They were tried with a reluctant witness in the Air India trial – a trial that resulted in two acquittals in 2005.

Repealing investigative hearings makes sense – they were always an unwieldy concept, requiring the police to abandon any hope of a covert investigation after the Supreme Court held they had typically to be held in open court.

Bill C-51’s speech crime – grade: high honours

Bill C-59 will drop the problematic and vague crime “knowingly advocates or promotes the commission of terrorism offences in general.” It will replace it with the more familiar and clear criminal law concept of “counseling another person to commit a terrorism act.” This conduct will still be punishable by five years in jail.

Counselling or inciting others to commit crimes has always been a crime. The Bill C-59 change is a big improvement on Bill C-51’s provocatively broad speech crime which came perilously close to criminalizing political comments that glorified terrorism. This new definition will also apply to warrants to seize terrorist propaganda.

Criminal Code terrorist group listing – grade: pass

Under the Criminal Code, the cabinet can list terrorist groups. People who have the wrong sorts of dealings with the listed group (for example, giving them money) can then be prosecuted. But terrorism listing has not been that important in Canadian criminal law – most of the prosecutions involved terror “groups” have not been with respect to listed entitled like AlQaida, but rather connected to “bunch of guys” conspiracies. But we expect there will be more prosecutions now in relation to the listed group ISIS, or Daesh.

The listing system requires a reconsideration of each listing every two years. Under C-59, that will now happen every five years. This may not be that important, since reviews do not amount to much.

But there has been at least one instance where an entity challenged its listing as a terror group. And it really was not able to do so because its assets were frozen. It might be fairer to allow frozen assets to be tapped to cover the costs of an appeal. And it also might be wise to guarantee that those who work on the appeal as lawyers are not later accused of terrorism offences because of that work. The UK has these rules and so should we. Most people will not care much about this. False positives – wrongly listed entities – may be rare in this area. But they need to be taken seriously – and we should expect that an appeal system built into the statute can actually be used.

Administrative powers

No fly list and special advocates – grade: incomplete

The no-fly list is one area where we know that there have been false positives – people stopped because they have the same name as a bad guy on the list. Fixing this kind of false positive probably means managing the no-fly list from a central government system – as opposed to farming the list out to the airlines to manage. Changes made in C-59 should make this easier. But simply changing the Act to make it possible won’t cover the cost of making this change to our unwieldy present system. Still, we understand administrative steps are underway to arrange this fix. Hence, the incomplete grade.

We note there is also the risk of a second kind of false positive on the no fly list – people who really are the ones on the list, but who are not really dangerous. This is a risk because people can be listed on a very low standard of evidence. If a person is listed, there are appeal rights. C-59 makes a slight change: where there is a challenge, a person will be delisted if the minister does not respond. But the Minister now would have 120 days as opposed to 90 to make a decision on whether to respond or not. This is a long time if you have been wrongly listed. Meanwhile, in the appeal itself, empowered to challenge the government case in the secret appeal. This is an unfortunate omission, since special advocates exist and have done very valuable work in the immigration law’s secretive “security certificate” regime.

On that point: special advocates in immigration security certificate cases will remain handcuffed in their ability to see all secret information. Those handcuffs were imposed by C-51. C-59 does not take them off, guaranteeing a return visit to the Supreme Court if the government ever resort to its secret evidence powers in the immigration law.

Information-sharing and privacy

Grade: fail, with instructor’s discretion to give it a bare pass

The Security of Canada Information Sharing Act was one of the most controversial parts of Bill C-51. It galvanized civil society opposition – and that opposition carried over to the Green paper consultations conducted in the fall of 2016.

Bill C-59 is perhaps most disappointing in its very light-touch amendments to this controversial and poorly drafted part of Bill C-51. C-51 created a provocatively broad and novel definition of “activities that undermine the security of Canada” justifying internal federal government information sharing. In C-59, that definition has not been replaced with the more traditional (and still broad) definition of “threats to security of Canada” found in the CSIS Act. So, the information-sharing law definition still includes the vague concept of “undermining the sovereignty and security of Canada or the lives or security of the people of Canada,” and even extends it to apply to those connected to, but outside Canada.

It leaves intact the quasi-sedition section that refers to “changing or unduly influencing a government in Canada by force or unlawful means.” It only adds that interference with critical infrastructure must be “significant and widespread.” It also retains reference to conduct in Canada that undermines the security of any other state. Would protests against a repressive government that is a key Canadian ally qualify? The Justice Department suggests in its Charter compliance statement that this definition only includes information related to violence, but its breadth goes far beyond violence.

The Bill clarifies the exemption for protest, dissent and artistic expression. But it does so by allowing such activities to be still subject to the disclosure provisions of the act if they are “carried out in conjunction with an activity that undermines the security of Canada.” And so, the protest exemption is tied to a statutory term that (even after the minor amendments in Bill C-59) remains the broadest definition of a national security in the law books. So again, would protests against a repressive government that is a key Canadian ally qualify for the exemption?

The operative section 5 of the Act is amended, but it would still allow broad sharing whenever the disclosure “will contribute to the exercise of the recipient institution’s jurisdiction” in relation to security. This is far short of requirements that disclosure be “necessary” to that jurisdiction, a reform urged by the Privacy Commissioner. To be sure, C-59 adds new requirements that privacy only be infringed so far as reasonably necessary, but these are indexed to its still overbroad definition of activities that undermine the security of Canada.

Bill C-59 does, however, improve the information disclosure act with respect to several information-sharing practices raised by the commission of inquiry into the treatment of Maher Arar. Notably, agencies that disclose information must provide information about its accuracy and the reliability of the methods used to obtain it. There is also a more accountability-friendly requirement to keep detailed records on what information is disclosed under the act and to provide them on an annual basis to the new review agency discussed above.

Nevertheless, the breadth of security information disclosure and sharing under Bill C-59 remains almost as large as it is in Bill C-51. This will provide challenges both for the Privacy Commissioner and the new review agency asked to keep an eye on this system.

Intelligence to Evidence grade: deferred

There is another information-sharing issue: sometimes too little is shared. The Air India Commission devoted four years to the study of the difficulties of sharing CSIS intelligence with the police, to be used by prosecutors in terrorism trials. This is called intelligence to evidence.

In our book False Security, we argued that C-51 (and an earlier C-44) might make intelligence-to-evidence problems worse by giving CSIS sources new identity protection privileges and allowing CSIS to reduce threats without relying on the police, potentially muddying waters for any subsequent prosecution.

These issues, and the Air India Commission’s unimplemented recommendations on intelligence-to-evidence, are unfortunately not addressed in Bill C-59. (Although the revamped CSIS threat reduction power does require consultation with other government agencies, such as the police, before threat reduction occurs).

At the same time, the government has committed in a backgrounder to consult on this issue. But, so far, a point we made in False Security is still true: that the massive new information sharing act created by C-51 and retained by C-59 permits but does not require the sharing of intelligence on terrorist-related conduct. And until we solve the intelligence-to-evidence issue, we may not be able to ensure seamless, inter-agency responses to terrorism.

Our key takeaway based on close second and third readings of C-59 is there is much to like – in some cases to love – about it. As we wrote this, we thought of our recently deceased friend and colleague Ron Atkey, the first chair of SIRC, who we are confident would have been overjoyed with the expansion of SIRC.

There are, however, a few bugs in C-59, but they appear to be bugs, not features. Hopefully they can be corrected. There are also some omissions – new roles for special advocates, for instance, and intelligence to evidence. And the information-sharing law will rightly remain controversial. Not everyone will agree with the tradeoffs and compromises in the Bill. But a lot of people in government worked hard to tackle real problems. And it shows.