Privacy and Security: Bringing Digital into Focus

21st Annual Privacy and Security Conference
Keynote Address by Murray Rankin,
Chair of the National Security and Intelligence Review Agency (NSIRA)

Thursday, February 6th, 2020, Victoria, British Columbia

Introduction

  • Good afternoon everyone and thank you for the opportunity to speak to you as Chair of NSIRA. For those who have not been to Victoria before, I wish you a warm welcome!

  • I start by acknowledging that we are meeting in the traditional territory of the Lekwungen-speaking people, today the Songhees and Esquimalt First Nations. 

  • And I must add that any weather in the last couple of days that is colder than usual or perhaps involves snow, is entirely unconstitutional and will be dealt with by the appropriate authorities.

  • Let me congratulate Reboot Communications for convening an impressive group of Canadian and international experts; I appreciate the opportunity to explain the scope and importance of review in the national security arena, especially when it comes to privacy – security – and the digital world we live in.

  • Conferences like this, which bring together leadership and innovation, are critical particularly today at a time when privacy and data protection represent the number one issue for businesses and governments around the globe.

  • As the Chair of the newly formed National Security and Intelligence Review Agency – or NSIRA as it is known, I have seen how technology is at the intersection of privacy and security. It is our shared interest in this intersection, at these crossroads, that brings us together here.

  • I'd like to start by explaining our new legislative powers – to give you some idea of how substantial our mandate is and how it relates to the core of the issues being discussed at this conference – that is the theme of "bringing digital into focus". Second, I will provide you with an update on our progress now that we are 6 months into our new mandate. Finally, I want to leave you with some overarching thoughts as we move into a new decade of security and intelligence review.

NSIRA's mandate

  • I will start with a bit of history. Last summer, on July 12, 2019, the National Security and Intelligence Review Agency Act came into force as one part of the former Bill C-59, the National Security Act. We replaced the Security Intelligence Review Committee (SIRC) which only reviewed the Canadian Security Intelligence Service (CSIS), and we inherited the role of the Office of the CSE Commissioner (OCSEC), which reviewed the Communications Security Establishment (CSE).

  • I was proud to have been asked by the Prime Minister to take on the role of Chair of this brand new agency. Although I am now required to be non-partisan, you may know that I am a "recovering politician" and one drawn from an opposition party, NOT the governing Liberal Party. Before appointing me as Chair, the leaders of the Conservative Party and NDP were consulted. I hope this fact will provide additional assurance to Canadians that NSIRA will be entirely independent of the government. In addition, the 6 remarkable Canadians with whom I serve on our board offer up a wide array of perspectives.

  • Given our new mandate, we can now review any activity carried out by CSIS or CSE, as well as any activity carried out by any federal department or agency with a nexus to national security or intelligence. I hope that this broader mandate should give Canadians the assurance that there are review mechanisms in place to ensure our national security community remains accountable. The work we do complements the work of two other agencies:
    • 1. the National Security and Intelligence Committee of Parliamentarians and
    • 2. the Office of the Privacy Commissioner of Canada, among other agents of accountability. 

  • NSIRA has two distinct responsibilities – hearing complaints and conducting reviews. On the complaints side, we investigate complaints from members of the public concerning the actions of CSIS and CSE, as well as certain complaints related to the RCMP where there is a nexus to national security. We also investigate complaints related to the government's security clearance process, as well as specific matters and reports referred under the Citizenship Act and the Canadian Human Rights Act. Not getting a security clearance can be devastating to the careers of public servants or those in the private sector who supply goods or services to government.

  • On the review side, we produce classified reports on any activity carried out by any department if that activity has a nexus to national security or intelligence. NSIRA may make findings and recommendations as to whether government agencies have complied with the law or ministerial direction, AND on whether their powers have been exercised reasonably and were necessary. You will understand that this is very broad language so NSIRA has a substantial scope to make findings and recommendations.

  • In any liberal democracy, agencies must identify and minimize national security threats in a manner that conserves the state's capacity to identify and foil future threats. The activities taken to do so must be lawful, effective, efficient, proportionate to the threat, and necessary in the context. Beyond strict compliance, then, we also have a mandate to make broader assessments of how well the system is working, and whether the system is able to deliver good national security and intelligence outcomes for Canadians.

  • NSIRA members work with a highly committed Secretariat which now consists of approximately 50 people, with the possibility of this growing to 100. We are fiercely independent and we have access to all national security material to help us in the performance of our duties. In both the complaints and review functions, we are entitled to decide what information is relevant. And agencies cannot withhold any information from us, with the single exception of Cabinet confidences, (which should rarely be relevant to our work in any event).

  • I want to emphasize that the mandate of NSIRA was constructed such that we have enormous flexibility to set our own review agenda. Measured in terms of size, scope and access, NSIRA ranks at the very top of review bodies for intelligence internationally. We take this responsibility seriously and remain accountable to Canadians to ensure that their rights are protected.

Our progress

  • I want to tell you about the progress we have made to date and about our priorities going forward. Since the agency was created just over 6 months ago, we are working hard to put in place all the building blocks so that we can fully deliver on our mandate.

  • As we build NSIRA, we are mindful of the high expectations Canadians have of us. We understand that the public expects transparency from us. To that end, you may have seen on our Twitter feed or on our website that we have committed to declassifying past reviews undertaken by our predecessor, SIRC, and posting them online as soon as possible to give Canadians access to the valuable information they contain. We are exploring whether it will be possible to do the same with past reports as well of the former Office of the Communications Security Establishment Commissioner.

  • We understand that we need to be accessible to the public whose interests we serve. I hope that regular engagement with Canadians through events like this, as well as with all relevant communities and experts, will foster constructive dialogue on issues of shared interest. We are also launching a series of public engagements. These will deepen our networks and our understanding of Canadians' expectations of us.

  • Internationally, we are and will continue to be actively involved with the Five Eyes Intelligence Oversight and Review Council or FIORC. Our participation in FIORC ensures that we are at the table when issues that touch on our mandate are discussed internationally. 

  • Closer to home, we are collaborating with the Office of the Privacy Commissioner of Canada to ensure that we avail ourselves of the expertise that exists on privacy issues. Together, we will be stronger.

  • We are keenly interested in understanding the implications of Artificial Intelligence as it relates to review bodies. In this vein, we will engage with experts in this field to learn about their implications and are also considering how to best attract and recruit people with this type of skill set.

  • We are committed to excellence in our review work and are putting in place the structures and processes needed to maintain the highest standard. Similarly, we are improving efficiencies in the complaints process, and continuing to ensure access to justice in an expeditious manner.

  • We are already deep into our review mandate, having completed three reviews under the NSIRA banner. We are making progress on defining our research plan and broader priorities as we go forward. The review plan will act as a focus for our review work for the foreseeable future. It is an expression of our priorities as an organization and it is critical that we get this right. We recognize that our review plan must reflect the concerns and priorities of Canadians and we are using discussions like these to inform these decisions.

Privacy and Security

  • Today, and especially here among you all, I am mindful of the increasing role for technology and big data in intelligence. No longer does intelligence work break down neatly into human intelligence and signals intelligence. Understanding and assessing the implications of this shift is a priority for NSIRA.

  • I think it would be safe to say that everyone in this room is caught up in one way or another in the same trends: Artificial Intelligence, quantum computing, big data/data analytics, the evolution of social media and other forms of open source intelligence, and next generation mobile (5G) to name a few. One of our NSIRA members, Prof. Craig Forcese, refers to the dizzying pace of technological change in communications as "the cyber arms race between collectors of information and defenders of privacy". NSIRA is right in the middle of this cyber arms race.

  • These have powerful implications for intelligence and so they have powerful implications for the review of intelligence. In the face of this, there is concern that rapid technological change may outstrip our ability to provide effective review.

  • These trends are manifest in many ways and are of ongoing public concern. At this point I'd like to point you to a New York Times article, published in December, which detailed a single dataset comprised of, according to the Times, "more than 50 billion location pings from the phones of more than 12 million Americans as they moved through major cities."  I invite you to take a moment to consider the magnitude of this single dataset.

  • Not surprisingly, the article asks its readers to "consider the national security risks the existence of this kind of data creates and the specter of what such precise, always-on human tracking might mean in the hands of corporations and the government."

  • The specific example of geolocation information as described in this article is an illustration of the potential use of enormous volumes of data in the intelligence sector.

  • What's interesting here from NSIRA's perspective is that one of our very first reviews looked at the use of geolocation information and explored some of the very questions raised in the New York Times article.

  • Details about this review and its findings will be released shortly. I invite you to follow NSIRA Canada on Twitter. As soon as the review is declassified, we will release it online as well.

  • The role of review bodies in this context is an evolving question. Recent court decisions on the lawfulness of bulk collection, including decisions from the European Court of Human Rights, have considered the adequacy of guarantees "against arbitrariness and the risk of abuse". That means that, at least in certain cases, the lawfulness of collection has depended on the strength of independent review bodies such as NSIRA and their ability to provide adequate guarantees.

  • Closer to home, Canadian courts are also attentive to the review system when considering the technical collection and retention practices of intelligence agencies. The issue of how review bodies "keep up with technology" therefore is a critical question, including for the intelligence agencies themselves, who must rely in to a considerable degree on the robustness of the review system to obtain the social license for their collection.

  • These trends also mean that NSIRA and other review bodies must be knowledgeable and master the details and implications of increasingly complex technological activities.

  • Review bodies will also need to have the skills necessary to delve deeper into technological architecture, automated data processing and analytics and rules based systems to understand and validate legal compliance and privacy protections. It is no small feat to attract and retain individuals with skills and experience in both review methodology and with information technology experience or education. We are here in part because we are looking to build networks and build bridges to those who are at the forefront of technical change.

Conclusion

  • I will return at the end to something we all know: that the expansion of the activities of security and intelligence agencies in the digital world over the last twenty years has been dramatic. Data gathering and exploitation is now regarded as essential in the fight against terrorism, against clandestine foreign intelligence activities and other threats to national security. There is no turning back.

  • Like you, we are very aware of the potential privacy implications of the use of technology by intelligence agencies. We will do our utmost to stay abreast of changing technology, including by participating at events like this one. And we will be vigilant in our defence of privacy rights as we scrutinize the activities of intelligence agencies in the digital realm and elsewhere. Ultimately, NSIRA issues non-binding recommendations to departments and agencies and cannot compel their implementation.

  • However, you have our commitment, and mine personally as Chair of NSIRA, that we will carry out an ambitious review plan, that we rigorously assess the agencies' operations and do not shy away from difficult topics and conversations with them, and that we will report to Canadians as transparently as the law allows on the results of our findings so that Canadians are is always better informed and we are better able to hold government accountable.

  • I will also reinforce my commitment to building an organization that is:
    • nimble, and responds to important issues as they arise;
    • that is responsive to the concerns of Canadians, and engages on an ongoing basis;
    • that is mindful of the need to be transparent in what it does and how it does it; and that is a center of excellence for intelligence review in Canada and internationally.

  • I leave you for now and thank you again for your attention today. I will be available to discuss with you during the conference. Thank you. 
Date modified: