Earlier this month I had the privilege of testifying as an expert witness before the House of Commons Standing Committee on Public Safety and National Security. The subject of the proceedings was Bill C-21, an Act to amend the Customs Act. My March 2016 column on IT in Canada, “No, the sky is not falling,” discussed the exchange of personal information between Canadian and American authorities that C-21 proposes to expand.
My opening statement outlined the situation and potential cybersecurity concerns:
In December 2011, then Prime Minister Harper and President Obama released the Beyond the Border Action Plan for Perimeter Security and Economic Competitiveness. As part of the plan, Canada and the United States committed to establishing a coordinated entry and exit information system that includes sharing information so that the record of a land entry into one country can be used to establish an exit record from the other.
According to the CBSA, Phase I ran from Sept 2012 to January 2013, during which time “both countries tested their capacity to exchange and reconcile biographic entry information of third-country nationals (non-U.S. or Canadian citizens), permanent residents of Canada who are not U.S. citizens, and lawful permanent residents of the U.S. who are not Canadian citizens having crossed at four land ports of entry in British Columbia/Washington State and Ontario/New York.”
In June 2013, Phase II expanded the program to all common land border ports of entry with the processing capacity to capture traveller passage as an electronic record. During this phase, information was not shared on Canadian or U.S. citizens, Registered Indians, or protected persons.
What we are essentially talking about today is the next phase of the Entry/Exit Initiative and expanding information sharing to all travellers at land border crossings. It is understandable that Canadians are concerned about the prospect of Canada and the United States sharing personal information.
From a security perspective, I see three areas of potential concern:
First, there is the actual impact of information sharing between CBSA and US Customs and Border Protection. To understand that impact, we need to consider what is being shared, and I’ll quote the Privacy Impact Assessment summary for Phase II published by the CBSA:
“At entry, each country presently collects the following data elements as agreed to for the Phase II exchange: Name (first, middle, last), Date of Birth, Nationality/Citizenship, Gender, Document information (type, number and country of issuance)…The only data to be exchanged, which are not already known to the receiving country, will be the date of entry, time of entry, and the port through which the individual has entered.”
Assuming that information sharing is constrained to this set of biographical data, which I see reflected in Bill C-21, this exchange of information between CBSA and US CBP has no practical impact on honest, law-abiding travellers.
The second area is how this information is protected in transit and at rest. Canada has proven methodologies to assess cybersecurity risks, and specific guidance on the security controls required to effectively protect this type information is readily available. Assuming cybersecurity aspects of this data sharing are taken seriously, there is minimal risk to Canadians.
The third, and perhaps most difficult area, is ensuring that the information is used only for the intended purposes. When any entity, public or private, has information, there is always a temptation to find new uses for it. Abuse of information by individuals is a problem. Informal information sharing between organizations can give rise to serious security and privacy concerns. I understand that the Privacy Commissioner has been involved, and hope that continues. I also applaud CBSA for publishing a summary of their Privacy Impact Assessment. As legislators, I urge you to ensure appropriate privacy controls are in place, and make it clear to Canadians how and under what circumstances this entry and exit information may be shared outside of CBSA.
One interesting question I was asked by a Member of Parliament involved appropriate data retention timeframes, and there is no clear answer. Privacy principles suggest that data should be retained only as long as required to fulfill the purpose for which is was collected. It is difficult to contemplate why information on border crossings would be required for longer than tax records, and hopefully, discussions between CBSA and the Privacy Commissioner will result in a retention decision that balances personal privacy and national security interests.
Responding to a question from M.P. Peter Fragiskatos on security vs. privacy, I told the Committee:
“There is a balance. Particularly when we’re dealing with issues of law enforcement and issues of national security, there is a very delicate balance. I feel for legislators because, on one hand, Canadians demand that you protect them, you protect the country, and you ensure that law enforcement and intelligence agencies are able to do their jobs. On the other hand, Canadians demand privacy.
One of the important elements in that balance is the Privacy Commissioner. I wish I could draw a line and say, here is security, here is privacy, and here is where we should sit, but it really depends on the situation and it depends on things like the type of information. I’d urge you to go back to those basic privacy principles. Certainly, we’ve Canadianized them, but the principles in our privacy legislation are drawn from European privacy principles, and they’re really principles that are commonly agreed on by many countries around the world. I think those are very helpful to look at.”