The Bill C-51 anti-terror law debate has been contentious and wide-ranging, yet few commentators have drawn on experience or expert voices from elsewhere to understand its implications.

Bruce Schneier’s is one such voice. A security professional and technologist, he’s one of the most authoritative and knowledgeable voices on security and privacy today; a “security guru,” in the words of the Economist. Fortunately for Canadians, he has an excellent new book out entitled Data and Goliath: The Hidden Battles to Capture Your Data and Control Your World, which tackles many of the technical, legal and policy issues arising from government and corporate data gathering and surveillance, and other actions of security agencies.

Though Schneier’s book is most useful for scrutinizing the activities of Canada’s signals intelligence agency, the Communications Security Establishment (the CSE, our National Security Agency, if you will) — whose cyberwarfare toolbox was recently unveiled thanks to Edward Snowden’s leaks — it also offers important insights for government security practices more broadly, including Bill C-51, which will dramatically expand the powers of the Canadian Security Intelligence Service (CSIS), Canada’s spy agency.

In the interests of full disclosure, I should say that I know Bruce from my time at Harvard University’s Berkman Center for Internet and Society, where we were colleagues (I was a fellow and am now a research affiliate there). Colleague or not, however, Schneier has something to say about Canada’s present anti-terror law debate.

Canadian experts and commentators, such as the Citizen Lab’s Ron Deibert, Policy Options blog contributor Dean Lorne Sossin and Policy Options author Kent Roach (March-April 2015), have offered powerful critiques of Bill C-51. Roach has, with Craig Forcese, led the charge in explaining the Bill and its troubling implications, particularly the risk that many of the new powers conferred on CSIS are couched in very broad and vague language and may easily lead to abuses of Canadians’ rights.

In response, the government has announced plans for minor amendments to the Bill, to address a few instances of overly broad language. Most notably, it is clarifying language in the law that previously suggested “unlawful” protests or dissent may constitute a threat to Canada’s security. It is also reining in previously “unlimited” government sharing of people’s personal information under the Bill, and is clarifying that CSIS will not be able to arrest people under its new “disruption” powers.

While these changes are a help, a vast majority of the Bill’s problem provisions remain — such as the new powers of “preventive detention” (with few rules concerning how detentions are conducted); the vague new provision criminalizing terrorism-related  speech; and the new, but still secret, judicial proceedings to authorize CSIS to “breach” Charter rights. And CSIS’s power to “disrupt,” even if amended, is still too vague, as it allows for a range of troubling actions short of arrest, such as physically confronting targets, disturbing property or interfering with other government actors. In short, there is ample room for the rights and interests of Canadians to be flouted or infringed.

Oversight in Canada, whether through Parliament or courts, if maintained in secret, is set up to fail.

Beyond this handful of amendments, the government and its supporters have responded to criticism in primarily two ways. First, Canadians should trust the “professionalism” of CSIS to use these new powers “sparingly if at all,” because these powers are so “controversial” that their misuse would bring CSIS’s legitimacy “into question.” Second, even if there are abuses, there is adequate oversight to catch them. As the Prime Minister stated in Parliament on February 3, 2015: “We already have a rigorous system of oversight on our national security police agency…It functions very well.”

These responses are weak and misleading. Three insights in Schneier’s book help illustrate why.

First, security agencies like CSIS employ a maximalist operational philosophy. There’s a great quote that Schneier cites by former NSA director Michael Hayes that illustrates this point: “Give me the box you will allow me to operate in. I’m going to play to the very edges of that box…You the American people, through your elected representatives, give me the field of play and I will play very aggressively in it.” Security agencies are not incrementalists.  They aggressively interpret their legal and intelligence-gathering powers, take advantage of grey areas in the law and push the boundaries in order to achieve their security and intelligence objectives.

Even with the limited oversight we have concerning CSIS’s secretive operations, it appears the agency takes an equally aggressive approach. Justice John Major, in the Air India commission final report, found CSIS took an “expansive view” of its mandate. More recently, CSIS’s inspector general (an office that the government eliminated in 2012) reported that the agency regularly flouted its own rules and policies. And in one of the few court rulings concerning CSIS’s clandestine activities that were made public (at least in part), Justice Richard Mosley essentially found CSIS had misrepresented its activities to the court in order to circumvent legal restrictions on its cooperation with foreign spy services.

CSE, which assists CSIS with foreign intelligence gathering, also acts aggressively, exploiting uncertainty about the legal status of metadata (that is, data about data) by “incidentally” collecting troves of it on Canadians’ communications; conducting “tradecraft” field tests involving tracking, analyzing and correlating public Wifi traffic data; or tracking and analyzing millions of downloads daily for suspicious activities. These are not the activities of restrained or reserved security agencies. (For more on CSE’s activities see the discussions by Ron Deibert at https://opencanada.org/features/c-51-who-knows-what-evils-lurk-in-the-shadows/ and by Christopher Parsons at https://www.christopher-parsons.com/five-new-sigint-summaries/.)

Ironically, the “professionalism” that Christian Leuprecht cites in defence of Bill C-51 is precisely why the Bill is a problem. The professional culture of security agencies is not restraint — it is to “play to the very edges” of the legal rules imposed on them. And the legal rules in Bill C-51 are so vague and broad, the “edge” so uncertain, that abuses are not only possible but probable.  Or, as a former CSIS agent said to the National Post in February 2015, “[I]t’s not if it will happen. It’s when.”

A second observation from Schneier concerns oversight, one of the most contentious issues surrounding Bill C-51. For Schneier, no matter whatever form it takes, oversight is useless without transparency. Critics like NDP Leader Tom Mulcair and Liberal Leader Justin Trudeau, for example, have argued for US- or UK-style oversight to be incorporated in the Bill.  Yet, while the Security Intelligence Review Committee (SIRC), with its underfunded after-the-fact “snapshot” reviews of CSIS activities, is so weak it cannot seriously be considered “oversight,” American and British approaches are not models to follow. Why? They lack transparency.

With oversight by elected officials or tactical oversight by courts, so long as these mechanisms remain secret with little transparency and accountability, neither will be effective, for the same reason. In both situations, the information that judges and elected officials rely on to make their decisions is supplied by the spy agencies themselves.

Schneier documents several cases in the United States — which has congressional oversight — where security officials misled committee members. In Canada, with its secretive judicial proceedings — one of the few mechanisms presently used for independent operational oversight of CSIS activities — it is similarly difficult for courts to ensure rules are followed, given their traditional passive role and the fact that the information is supplied by the government. Schneier also details in his book how recently declassified opinions from the Foreign Intelligence Surveillance Court — the judicial body overseeing US surveillance — suggested security officials were gaming the system: that is, making misrepresentations to the court and, in Schneier’s words,“regularly exceed[ing] its legal authorizations.” Troublingly similar is the finding of Justice Richard Mosely, mentioned earlier, which found CSIS had misrepresented its activities and breached its duty of candour to the court. Oversight in Canada, whether through Parliament or courts, if maintained in secret, is set up to fail.

Some form of ongoing oversight, with strong independence from government, is warranted. On this count, I would certainly support recent calls to strengthen the mandate and budget of SIRC, but only if the SIRC chair is treated more like an officer of Parliament — a permanent and long-term appointment with a budget and staff similar to the auditor general’s — with appointees also having the requisite expertise and experience. Just as no one would appoint a politician with no prior professional expertise as auditor general, the same should apply to a body as important as SIRC.

But even that is not enough because SIRC provides only a review function. Tactical, or operational, oversight is required. This would likely require some major institutional or legislative changes, but an initial step would be to reinstate the Inspector General’s Office within CSIS; as Dean Sossin has pointed out, this would at least provide some internal mechanism for accountability. We must avoid, as Ron Deibert aptly put it in a March 2015 article, “entrenching 1950s-era oversight of a 21st century security service machine.”

This leads to the third important observation from Schneier: governments do not reform themselves. Once large-scale legislative schemes like Bill C-51, with new powers and capabilities, are passed, the bureaucratic and institutional inertia within government will lead it not only to retain those powers, but also to expand them again over time. This has certainly happened in Canada: CSIS’s powers increased after 9/11 and they will dramatically increase again if Bill C-51 is passed, which is very likely. That means Bill C-51 must have some concrete mechanisms built in to reverse that inertia. One way to do that is through sunset clauses, like those suggested to the Senate Standing Committee on National Security and Defence by Roach and Forcese, which would require a positive legislative step to extend the new powers in C-51 at some fixed time in the future. This is important, because it would be one way to ensure a proper parliamentary debate on point.

But sunset clauses are also imperfect. If Bill C-51 is addressed before the sunset period expires, the powers can be made permanent without any further review.  Another problem is that when the “sunset” period is due to be addressed, a government with a majority can shut down full and proper parliamentary debate and committee review, leaving Canadians still in the dark. So more steps are needed to ensure broader scrutiny and resist government inertia. One way would be to include a statutory requirement for a comprehensive review of CSIS’s use of Bill C-51 powers every four or five years, to be conducted by SIRC, and with a full report presented to Parliament. This would be another safeguard to ensure government and CSIS face a serious scrutiny in the light of day.

Some may scoff that the suggestions here, articulated through the American experience, are impossible given the government’s intransigence. Yet its recently announced plan for amendments, albeit minor ones, suggests at least an inkling of flexibility. Perhaps the government can be moved further? “Fatalism,” implores Schneier, “is the enemy of change.” Indeed. So let the debate go on.

Photo: CP Images