Parliament Hill: The balancing Act – Canadian Government Executive

NEWS

SEARCH

E-governmentICTSecurity
October 24, 2017

Parliament Hill: The balancing Act

In December 2011, then Prime Minister Harper and President Obama released the Beyond the Border Action Plan for Perimeter Security and Economic Competitiveness. As part of the plan, Canada and the United States committed to establishing a coordinated entry and exit information system that includes sharing information so that the record of a land entry into one country can be used to establish an exit record from the other.

Earlier this month I had the privilege of testifying as an expert witness before the House of Commons Standing Committee on Public Safety and National Security. The subject of the proceedings was Bill C-21, an Act to amend the Customs Act. My March 2016 column on IT in Canada, “No, the sky is not falling,” discussed the exchange of personal information between Canadian and American authorities that C-21 proposes to expand.

My opening statement outlined the situation and potential cybersecurity concerns:

In December 2011, then Prime Minister Harper and President Obama released the Beyond the Border Action Plan for Perimeter Security and Economic Competitiveness. As part of the plan, Canada and the United States committed to establishing a coordinated entry and exit information system that includes sharing information so that the record of a land entry into one country can be used to establish an exit record from the other.

According to the CBSA, Phase I ran from Sept 2012 to January 2013, during which time “both countries tested their capacity to exchange and reconcile biographic entry information of third-country nationals (non-U.S. or Canadian citizens), permanent residents of Canada who are not U.S. citizens, and lawful permanent residents of the U.S. who are not Canadian citizens having crossed at four land ports of entry in British Columbia/Washington State and Ontario/New York.”

In June 2013, Phase II expanded the program to all common land border ports of entry with the processing capacity to capture traveller passage as an electronic record. During this phase, information was not shared on Canadian or U.S. citizens, Registered Indians, or protected persons.

What we are essentially talking about today is the next phase of the Entry/Exit Initiative and expanding information sharing to all travellers at land border crossings. It is understandable that Canadians are concerned about the prospect of Canada and the United States sharing personal information.

From a security perspective, I see three areas of potential concern:

First, there is the actual impact of information sharing between CBSA and US Customs and Border Protection. To understand that impact, we need to consider what is being shared, and I’ll quote the Privacy Impact Assessment summary for Phase II published by the CBSA:

“At entry, each country presently collects the following data elements as agreed to for the Phase II exchange: Name (first, middle, last), Date of Birth, Nationality/Citizenship, Gender, Document information (type, number and country of issuance)…The only data to be exchanged, which are not already known to the receiving country, will be the date of entry, time of entry, and the port through which the individual has entered.”

Assuming that information sharing is constrained to this set of biographical data, which I see reflected in Bill C-21, this exchange of information between CBSA and US CBP has no practical impact on honest, law-abiding travellers.

The second area is how this information is protected in transit and at rest. Canada has proven methodologies to assess cybersecurity risks, and specific guidance on the security controls required to effectively protect this type information is readily available. Assuming cybersecurity aspects of this data sharing are taken seriously, there is minimal risk to Canadians.

The third, and perhaps most difficult area, is ensuring that the information is used only for the intended purposes. When any entity, public or private, has information, there is always a temptation to find new uses for it. Abuse of information by individuals is a problem. Informal information sharing between organizations can give rise to serious security and privacy concerns. I understand that the Privacy Commissioner has been involved, and hope that continues. I also applaud CBSA for publishing a summary of their Privacy Impact Assessment. As legislators, I urge you to ensure appropriate privacy controls are in place, and make it clear to Canadians how and under what circumstances this entry and exit information may be shared outside of CBSA.

One interesting question I was asked by a Member of Parliament involved appropriate data retention timeframes, and there is no clear answer. Privacy principles suggest that data should be retained only as long as required to fulfill the purpose for which is was collected. It is difficult to contemplate why information on border crossings would be required for longer than tax records, and hopefully, discussions between CBSA and the Privacy Commissioner will result in a retention decision that balances personal privacy and national security interests.

Responding to a question from M.P. Peter Fragiskatos on security vs. privacy, I told the Committee:

“There is a balance. Particularly when we’re dealing with issues of law enforcement and issues of national security, there is a very delicate balance. I feel for legislators because, on one hand, Canadians demand that you protect them, you protect the country, and you ensure that law enforcement and intelligence agencies are able to do their jobs. On the other hand, Canadians demand privacy.

One of the important elements in that balance is the Privacy Commissioner. I wish I could draw a line and say, here is security, here is privacy, and here is where we should sit, but it really depends on the situation and it depends on things like the type of information. I’d urge you to go back to those basic privacy principles. Certainly, we’ve Canadianized them, but the principles in our privacy legislation are drawn from European privacy principles, and they’re really principles that are commonly agreed on by many countries around the world. I think those are very helpful to look at.”

About this author

Eric Jacksch

Eric Jacksch

Eric Jacksch is a leading cybersecurity analyst with over 20 years of practical security experience. He has consulted to some of the world’s largest banks, governments, automakers, insurance companies and postal organizations. Eric is a regular columnist for IT in Canada and was a regular columnist for Monitor Magazine and has contributed to several other publications.

0 comments

There are no comments for this post yet.

Be the first to comment. Click here.

E-government
 
We are excited to announce that the October issue of Canadian...
 
Earlier this month I had the privilege of testifying as an...
 
Canadian Government Executive Media, (CGE) publisher of Canadian Government Executive magazine...
 
Public sector managers from all levels of government across Canada increasingly...
 
Does your organization have a very narrow view of what digital...
 
With businesses and government agencies increasingly operating in a highly information-based...
 
Blockchain. There’s probably no other technology trend in recent years that...
 
Over the last two years, an ever-growing number of organizations around...
 
Canadian Government Executive is excited to announce the agenda for TechGov...
 
Canadian Government Executive media through its upcoming TechGov event is providing the...
 
In a rather unusual, quiet manner this past summer, a new...
 
What would it mean for tax professionals to boost their tax...
 
We are pleased to provide you with an opportunity to help...
 
Canadian government agencies and departments are modernizing the way they do...
 
In this episode, Editor-in-Chief of CGE, George Ross talks with Sir...
 
In this episode, J. Richard Jones talks about the appointment of...
 
In the wake of the WannaCry outbreak, corporate executives, IT professionals,...
 
Facebook Pages can be an essential tool for businesses and charities,...
 
Please to view this Content. (Not a member? Join Today! )...
 
Nearly half of Canadian organizations are falling behind on implementation of...
 
As Canadians prepare to fill up their tax forms this year...
 
There is no shortage of examples of businesses that effectively used...
 
The latest Auditor General’s report on Shared Services Canada (SSC) and...
 
In 2011, the World Economic Forum presented its vision of a...
 
By: Patrice Dutil The MindLab meets every expectation you might have...
 
By Gregory Richards A recent study by McKinsey Global Institute suggests...
We are excited to announce that the October issue of Canadian...

Member Login

Forgot Password?

Join Us

Password Reset
Please enter your e-mail address. You will receive a new password via e-mail.