A number of really interesting briefs have been prepared by various stakeholders, going into the next round of House of Commons legislative hearings on bill C-59. Many seek to ratchet tighter the accountability structures in the bill, especially for CSE and CSIS (where they don’t call for the outright abandonment of these agencies’ proposed new powers).
I haven’t had chance to review all the specific ideas, but two of these sets of recommendations stand out for me in this area. Let me address the first in this post, and a second in one to follow.
Stakeholders have expressed a recurring concern about “publicly available” information. Both CSE and (to a slightly lesser extent CSIS, in relation to datasets) are exempted from the special oversight accountability structures imposed on information collection, where the information is said to be “public”. Indeed, in relation “publically available information”, CSE is relieved of its obligation not to direct its activities at Canadians. Neither the CSE nor the CSIS dataset rules include a truly meaningful definition of public information, raising concerns about the fuzzy line between public and not-so-public. The phone book (does it still exist?) is one thing. Hacked information now spilled out on the web and technically publicly available "at the time of its collection" (the CSIS definition), is another. Should there be safeguards on its collection, retention and use by intelligence agencies? The CSIS amendments provide rules on the retention, querying and exploitation of public information, yes, but exempt it from the more thorough independent vetting system for other sorts of datasets.
On the one hand, it would be naïve and prejudicial to ask intelligence agencies to turn a blind eye to any source of information within legal mandate and contributing to their mission. On the other hand, it would be pernicious to create a nudge-nudge-wink-wink intelligence service market for unlawfully acquired information. Or even, possibly, lawfully released information revealing personal information in unexpected ways. Given the Supreme Court’s trajectory, it is possible it will ultimately conclude that a person retains a constitutional privacy interest in even public information (at least of a certain character).
But even if Charter s.8 does not go this far, there may be policy reasons to treat the state’s acquisition of “public” information differently than similar private sector activities. For one thing, the private sector is not generally equipped with guns and jails and the coercive apparatus of the state. Nor does it have access to the full panoply of information we are all compelled to provide to the state, in our interaction with its regulatory function (think tax info). So the state has unparalleled capacity to scrape public information and combine it with both closed intelligence and other state-acquired information. That gives “public” information a qualitatively different significance in the hands of the state. Predicting in advance what implications this has is impossible, which is an argument in favour of an independent oversight function even where “public” information is at issue. (Back-end review seems insufficient, especially since review bodies have powers of recommendation, only. And in some instances in the past, issues raised by these bodies have taken years to redress. Independent pre-authorization, required to undertake the activity, is a more robust way to oblige careful consideration of the dilemmas, and if section 8 were ever engaged, is likely required anyway.)
All of this is to say that these concerns are worth redressing, at minimum by plugging even public information acquisition into the independent vetting systems anticipated for both CSIS datasets and CSE foreign intelligence and cybersecurity mandates. I fear that otherwise, this issue will become a festering source of unease about the good faith of the security services, and perhaps a source of future controversy.
FYI, readers may wish to refer to my process flowchart to see what I mean about the different treatment of publicly available information under the CSIS dataset regime.