One of the most insidious elements of Bill C-59 is the way it facilitates bulk collection, and mass surveillance without using those terms. C-59 envisions two distinct, but related frameworks for the collection of information: one for CSIS, and one for CSE. Both allow for the untargeted and near-limitless accumulation and analysis of millions of pieces of data—the very definition of bulk collection and mass surveillance.
Changes to the CSIS Act create a complex framework for the collection, use, retention, analysis and management of “datasets,” with some safeguards, including requiring ministerial and court approval for certain kinds of Canadian data. However, one of the most troubling parts of the new dataset provisions is an exception to the general protections for datasets primarily about Canadians or people in Canada: if data is considered “publicly available,” then it’s fair game for collection, without a warrant. In some cases, that collection must be “strictly necessary”—but in others, it need only be deemed “relevant” to the duties and functions of CSIS. The term “publicly available dataset” is a term somewhat circularly defined in the Act, creating a very broad opportunity for CSIS to engage in the unnecessary and disproportionate collection of information about innocent individuals.
Retention is another problem altogether. In a recent Federal Court case, CSIS was found to have been illegally keeping information related to thousands of innocent Canadians long after it was necessary, and found to have breached its duty of candour to the Court by withholding that fact. The dataset provisions in C-59 seem to make exactly that kind of data collection and retention legal.
The CSE Act changes are complex. On the one hand, CSE is obligated to act proportionately (and subject to approval from the Minister and newly created Intelligence Commissioner) in many of its information-collecting practices. On the other hand, the CSE Act appears to regard the bulk acquisition of data—“unselected” in the terminology of the Act—as reasonable and proportionate as long as such activities are not directed at Canadians and persons in Canada. This disregard for the privacy of all non-Canadians abroad is inconsistent with international human rights law. The CSE Act’s attempts to protect the privacy of Canadian persons is also not cause for reassurance. The new regime leaves untouched the Establishment’s ability to collect and use Canadian data so long as its activities are “directed” elsewhere, and this protection only applies to two of CSE’s proposed five mandates. CSE’s ability to collect millions of data points on Canadians under this kind of a regime is already well-documented, particularly following the Snowden revelations.
Even more concerning, the CSE Act introduces new exceptions that allow the agency to collect even more Canadian data. Not unlike the CSIS Act’s dataset provisions, the new CSE Act would also create an exception permitting it to direct its activities at Canadians or people in Canada where the collection of “publicly available information” is concerned. The scope of such information is expansively defined, including information “that has been published or broadcast for public consumption, is accessible to the public on the global information infrastructure or otherwise or is available to the public on request, by subscription or by purchase.” For an agency that isn’t supposed to be directing its activities at Canadians or people in Canada to begin with, creating an exception that facilitates the collection of every piece of Canadian information online that can be found, requested or purchased (in almost any format, from almost any source, across all aspects of the global information infrastructure) is deeply troubling.
The federal government has yet to make the case that these kinds of bulk data collection practices are either necessary or proportionate—and experience has taught us that where issues of terrorism and national security are concerned, bigger haystacks are not the same as better magnets to locate that pesky pin. In addition, CCLA is concerned that including information available “by purchase” within the definition of “publicly available” may encourage the creation of questionable grey markets for data or establish problematic incentives to make more personal information about Canadians and people in Canada purchasable in the first place.