Over the next few months, I will try to post thoughts on Bill C-59, the government’s massive national security overhaul package. Kent Roach and I have posted two quick assessments: an oped in Maclean’s and a longer piece at the Institute for Research on Public Policy website. I also provided reactions to the media in various placed, including on The House here and Power & Politics here.
(We always worry about pushing out analyses of such complex legislation on an insta-response basis, and qualify what we say with an open invitation to point out errors and omissions. Like most people, I learn best when I write, reflect, discuss, revise.)
In this space, I want to meditate on two issues emerging in the discussion. First, that C-59 is about correcting C-51, creating the impression (fanned by some politicians) that C-59 rolls back security powers. Second, the resource and burden issue.
C-59: Reforming without subtracting
A word of warning: Kent and I always took the view that C-51 was dealing (mostly) with real problems, but the solutions were so festooned with their own shortcomings that they didn’t solve the problems, but did create a host of new ones. (The speech crime was the exception: it was always a solution in search of an invented problem).
I won’t repeat our analysis here. (We set out our conclusions in the 600 pages of False Security.)
This is by way of saying: I was never in the “repeal and return to the prior status quo” camp. Because that status quo meant returning to a security law system that creaked with age and inadequacy.
Fixing the Problematic Parts
If we expect the state to protect us, we need to give it tools. In part, this is because I believe the civil liberties implications of the day after a security failure are always worse than the civil liberties challenges raised during a calm, premeditated effort to give security services reasonable tools to prevent that incident. (After some bomb goes off, everyone assumes that it stems from a failure of law, and that we need fewer rights. Usually, the reason is more complex: sometimes it is operational. And sometimes it is simply a manifestation of the old IRA slogan about security services needing to successful all the time, and terrorists only once. Those impossible odds mean something will always happen. And so you need social resilience, not a stampede to turn your society into North Korea.)
When we do security law and policy reform properly, the questions always are: which tools, are they proportional, and are they compatible with a liberal democracy (and avoid the “burning villages to save them” problem). And for anti-terror tools, focused on a threat embedded in a civil population, “overclocking” on your tools may precipitate the very threat you intend to stave-off. (Witness the nonsense discussion on the margins of the internet last month, after the UK incidents, raising the prospect of mass internment. Setting aside the egregious rights violations, this is out past Pluto in terms of security: people need to spend more time examining the blowback consequences of mass internment. It’s a pretty good way to turn a difficult security environment into a 100-year war.)
C-59 is about correcting C-51’s (unnecessary, probably-never-actually-wanted-by-the-security-services) excess, and I think it generally does a good job here (with the real remaining concern being the light-touch amendments to the Security of Canada Information Sharing Act, renamed and tempered, but still vast). For instance, I doubt CSIS ever wanted to be in the detention and rendition business – so why create a law that made that a legal possibility?
For more on these fixes, see our IRPP piece, linked above.
Dealing with (Some) of the Puzzling Omissions
But C-59 is also about giving new powers to the security services. Four things stand out. First, by placing CSIS threat disruption powers on a more plausible (although surely still novel) constitutional foundation, it makes those actually usable. (CSIS has clearly not been prepared to use threat reduction that raised constitutional issues under C-51, probably appreciating that the C-51 formula was an invitation for controversy in the courts and out).
Not everyone will think we’ve hit the sweet spot. See Michael Nesbitt’s excellent analysis. But we are way closer than with C-51 – with that bill’s formula, it was really hard to find a constitutional lawyer (not taking instruction from government) who thought we were even in the ballmark. And whatever we might conclude about how carefully drafted some of the new “closed list” powers are, I simply cannot think of any other way to square the constitution with some of the more potent threat reduction powers I believe are quite properly on the table (e.g., interfering with a suspected terrorist’s communications).
Second, I had not quite appreciated the extent to which CSIS was on the cusp on being paralyzed by its old law. For one thing, the limitations in its Act on retaining information – most dramatically illustrated by the Fall 2016 Federal Court decision on the CSIS ODAC initiative (see a write up here) -- must be deeply constrictive of CSIS deploying big data analytics – or even basic Boolean searching – on information…that they cannot have. There are, of course, all sorts of privacy concerns – which is where close study is required of both the revamped collection and retention rules and their checks and balances. But at some point, one must concede that if you are to have an intelligence service, it needs to be able to collect, retain and analyze intelligence. (Privacy protections have always has been about checks and balances, from their inception in the early common law through to the present day).
For another thing, I had not quite appreciated how dramatically changes in the concept of Crown immunity – and doubts about its application to CSIS operations – must be crimping operations. It may not be too much of an exaggeration to say, with all the new terrorism crimes introduced since 2001, that every CSIS officer and source covertly infiltrating a terror plot is at risk of prosecution. CSIS recruiting must go something like: “Thank you for your service. As soon as you participate with this group, you are a criminal. But we’ll put in a good word with the prosecutor – assuming we’re prepared to cough up our secret op details. Hopefully things will be ok.” The response must be something like: “No way.” Or: “Ok, give me $8 million.”
I have no way to know if the problem is that dramatic. But legally, it may be. And if so, together the limit on CSIS data retention and the crimp on human source immunity is pretty serious. It might mean that Canada risks not having a real security intelligence service.
Unless you think the world is much safer than I think it is, that is an unhappy prospect. It is actually astonishing that this was not fixed a long time ago. So the issue is: are you happy with the C-59 solutions? And in responding, the first thing I look for it: checks and balances. So far as I work through the details, I think they measure up quite well – indeed, potentially very well, measured against international comparisons.
Third, the Communications Security Establishment has been burdened with too little law, and too narrow a mandate. On law, we have known since it was first given statutory footing in 2001 that the issue of Canadian-origin information intercepts raised constitutional issues. People have been writing about it for a long time. But it was one of those questions that were, um, academic, until Snowden. After that, it became a matter of public controversy, and litigation. Fixing this was never that hard – and I am very pleased to see that C-59 proposes what I think is a viable and even elegant approach. (Although there is a bug in the drafting, I think, that may leave the problem unfixed. That requires more explaining, and I will blog on that soon.)
On mandate, CSE’s cybersecurity mandate basically reaches: get into a defensive crouch, protecting your core and vital organs, while the North Koreans, Russians, Chinese, hackers etc pummel you. But the world has changed since 2001. The new “active” and “defensive” cyber operations powers, and the broadening of the traditional cybersecurity mandate make a lot of sense. Again, that assumes you agree that the world presents real security challenges that require viable responses. If you do, then the remaining question is: are you happy with the checks and balances?
Four, tempering C-51, and adding a whole host of checks and balances is actually security-affirming. In a democracy, the activities of the security service depend on consent and cooperation. Security powers that validate a lot of conspiracy theories erode that “social license”.
C-51 took a lot of conspiracy theories from “plausible only if you assume everyone is a legal rogue and ethically unhinged”, to “legally possible, even if still doubtful in practice because the people involved are not venal and unethical”. (Our various commissions of inquiry criticized the services, but did not suggest wrongdoing was ill-intentioned – with the exception of the poisonous leaks someone released to smear Maher Arar.) But as anyone who has spent more than 5 minutes working in a human institution knows, people and institutions make mistakes – sometimes enormous mistakes. Silos, group think, cognitive bias, habit, incompetence, laziness, inattention, petty jealousies. All the vices of the human form. Law, guidelines, protocols, oversight, review and checks and balances are what we use to minimize the prospect of systems failing, especially where the consequences of failure are significant.
C-59 puts the law back in play as a code of conduct, in a way that C-51 relaxed too much. I think that is important. One might expect this of a law professor. But I cannot really think of any examples of where “the gloves are coming off” approach to security law and policy in a democracy has worked well. It tends to produce outcomes that some future political leader needs to apologize for, after a commission of inquiry, disastrous court losses, public acrimony and a general erosion of public trust.
Administrative Burden: Better than the alternative
And that brings me to the administrative burden conversation. C-59 will amp up the checks and balances in national security law considerably. So considerably that Canada may well be back to where it was in 1984: a leader in this area. Predictably, there will be anxiety that this will shackle responses, drain resources and infuse lawyers and overseers into the nitty-gritty of security work. C-59 is, in some respects, the judicialization of intelligence that former CSIS director Jim Judd disliked a decade or so ago.
It is also consistent with developments in other Five Eye states, and even the French have new law in the area of intelligence. (The French, famously, have had little). It is inevitable: as soon as you focus on security threat emanating from your civil society, intelligence starts to drift closer to police work. And so, it needs to abide by at least some of those standards that guard police work (many of which echo those announced by Robert Peel in establishing the first police force in the 19th century).
The new systems could be impossibly bureaucratic. Or they could be elegant and effective. Much will turn on design, resourcing, staffing. Inattention on these issues will produce disasters: impairing necessary security conduct, done by cautious, risk-adverse services; and/or overpromising on accountability without delivering.
But I will say this: they are the quid pro quo to accomplishing that security expansion noted in the first four points of this blog. C-59 should establish a regularized, professionalized system of checks and balances. And whatever burden they impose, that would be dwarfed by the burden imposed by a creaky, inadequately constructed security system that lurches from scandal to commission of inquiry to judicial slap-down; with powers uncertain, planning interrupted by public controversy and all your staff-time devoted to appeasing a disgruntled Parliament, judge or commissioner. In other words: the 2000s. I don’t know anyone (in any walk of life) that wants to go back to the scandal/response system of national security policy-making. That would be bad for security and rights.
In sum, C-59 is probably in, or near, the Goldilocks space between too hot and too cold. Which is not to say it is perfect, or that it fixes everything, or will please everyone. For instance, the SCISA is not falling. (The author chuckles to himself.) And it isn’t to say we won’t suddenly discover a new concern in the 150 page document.
But based on about 5 readings of the full text and some deep dives on some of the more complex parts, it appears to be more carefully crafted than anything we’ve seen in this area in a long time – probably the 1988 Emergencies Act, and before that the 1984 CSIS Act. That’s a good place to be, going into the parliamentary process.