Meeting the Challenges of 2010 and Beyond
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Remarks at the Public Safety Transformation Conference
November 30, 2009
Vancouver, British Columbia
Address by Chantal Bernier
Assistant Privacy Commissioner of Canada
(Check against delivery)
It is not possible, in my view, to speak about public safety transformation without addressing its privacy implications. Why? Because the two are intrinsically linked in a dynamic relationship between collective rights and individual rights – one defines the other.
If I could leave you would only one thought today it is this: privacy and safety are not at odds. In fact, they complement each other morally and functionally: Morally, both privacy and safety characterize the society we have chosen to live in. Functionally, they work together to streamline, to focus each other. I hope to demonstrate that in a few concrete examples later on.
I will address the issue of protecting privacy in the context of transforming public safety in three parts:
- Summarizing, to set the stage, the new context for public safety
- Describing the established principles of privacy
- Illustrating, in concrete examples, how the immutable right to privacy applies in the ever changing context of security.
So first, let us take stock of how the context of public safety has changed.
1. The new context of public safety
I must confess that I have become weary, if not exasperated, at hearing, over and over, how, since 9/11, the context of public safety has changed.
Hearing that makes me cringe in the same way that I used to cringe when my mother would tell me that vegetables were good for me. I cringe for the same reasons: first, because I did not want to eat my vegetables and second because I knew she was right.
The same applies to the new context of public safety. So rather than dwell on the fact that it has changed, let us move straight to the way in which it has changed and how that impacts on the protection of privacy.
Chief Justice Beverley McLachlin gave, in my view, a brilliant speech last October, on the challenges of fighting terrorism while maintaining civil liberties. And she based her speech on this premise: threats to national security are not new; but their modalities are new.
That is exactly the focus we must adopt both in relation to how public safety challenges have changed and how privacy protection must respond: modalities.
1.1 The new modalities of security threats
A few years ago, when I was still Assistant Deputy Minister at Public Safety Canada, I was at an Assistant Deputy Minister’s meeting one day where a most seasoned, senior national security advisor to the then Prime Minister came to brief us on the current national security challenges we had to take into account. I asked him to summarise for us the main characteristic of how the national security context had changed.
He replied by giving me this illustration. He said, “Consider this: during the Cold War, the threat came from the Heads of State of the Soviet Block. And they would come to the US for medical care. We knew the state of every one of Ceausescu’s internal organs because the US had CIA doctors on his medical team. Now, we don’t even know where Osama Ben Laden is.
This vignette illustrates the three fundamental changes to the national security context:
- threat has gone from States to individuals
- threat has gone from focussed to diffused
- threat has gone from overt to covert
The impact on the protection of privacy is crucial: it means surveillance has moved from State information to personal information.
I will elaborate on this in a minute but first let us complete the picture by looking at the new modalities of crime.
1.2 The new modalities of crime
The main development here is linked to information technology. It has opened a new space for all aspects of our lives: we communicate through it, we buy through it, we even date through it, we keep in touch with friends...life has moved onto cyber-space. Naturally then, so has crime.
The new modalities of crime therefore, are essentially linked to information technology:
- organized crime uses IT for its transactions for both convenience and anonymity
- a new form of crime has developed using IT as a new tool whether for fraud, child exploitation or child pornography
- IT infrastructure has become a target of attack , a new venue, so to speak, for vandalism, theft, and infiltration of information systems.
The impact on privacy is again crucial: it means policing wants to move to the Internet – a place where we feel is private, personal.
2. The new context from privacy
So how, in this new context, do we protect that space for freedom that we call privacy?
The short answer is that we constantly rethink the modalities of privacy to ensure the preservation of the principles of privacy.
Let me describe how we apply this approach at OPC, in general and through specific examples.
At the OPC, in relation to the public sector, which is what is relevant here, we ensure compliance in relation to the protection of privacy through mainly 3 functions:
- we investigate allegations of privacy violations against any federal institution,
- we review Privacy Impact Assessments which are instruments prepared by federal institutions when they propose to implement programs or initiatives that include gathering personal information and
- we audit federal institutions to ensure that their established programs and policies comply with their obligations with respect to privacy.
We exercise these functions on the basis of a four part test:
- is the measure seeking to gather personal information or intrude on privacy necessary?
- is it proportionate to the need identified?
- is it effective in relation to the need identified?
- is there an alternative, towards the same objective, that would be less privacy intrusive?
Let me give you some concrete examples of that.
Since I have been appointed to this position, many issues have arisen that called for the application of this test to the relationship between privacy and public safety. The most recent, and most commented on perhaps, was our review of the Privacy Impact Assessment by the Canadian Administration for Air Transport Security or, CATSA, of a proposal to bring in Whole Body Imaging Scanners to some Canadian airports, and I will come back to it.
2.1 The Olympics
But the first one I had to address in my position was the issue of privacy and security at the Olympics.
We are faced with an interesting challenge: as the guardians of privacy for Canada, responsible for the compliance with the Privacy Act by the RCMP, CSIS, the CBSA, we must ensure security measures at the Olympics do not infringe upon privacy beyond what is strictly necessary to ensure public safety. But how do we know what is strictly necessary in an event of such magnitude and uniqueness?
We got around that accountability challenge by engaging the ISU in a dialogue to hold them accountable on the basis of the four part test: we asked them to justify the necessity, effectiveness of the measures they take. They provided extensive information in that regard. We recommended that the ISU appoint a Chief Privacy Officer - they did. We revisit these issues on a regular basis: the ISU has always been cogent and forthcoming.
We will not second guess them, but we hold them accountable for the proper integration of privacy and security.
Let me now turn to the issue of Whole Body Imaging Scanners to illustrate the application of the 4 part test.
2.2 CATSA WBI
Let me describe the proposal CATSA submitted to us, in a nut shell.
The WBI system that CATSA has chosen would work like this:
- a traveller would go through metal detectors exactly as is the case now
- also exactly as is the case now, either for cause or randomly, the traveller may be referred to secondary screening
- should a traveller be referred to secondary screening, he or she would have the choice between a pat down or a WBI
- if the traveller chooses WBI – which is faster than a pat-down and, to many people, less intrusive than a pat down which entails very insistent touching every where on the body – the traveller goes through a portal which sends an image of him that reveals anything he may conceal under his clothes – what CATSA is looking for is non-metal weapons such as ceramic weapons or plastic explosives
- the CATSA officer who sees that image is in a remote location and does not see the traveller – there is no correlation between the image and the identity of the traveller – another reason for which some travellers prefer the WBI since in the pat down there is such a correlation: the CATSA officer both feels and sees the traveller
- the moment the traveller leaves the portal, the image is deleted
- the security of the information is ensured by several measures including the fact that the CATSA officer in the remote location cannot bring in the viewing room any device that could allow reproduction or transmission of the image
- the image that is projected is not deliberately blurred but it is not precise enough to reveal the identity of the traveller even if the viewing CATSA officer actually knew the traveller.
So our first question to CATSA was, why is this necessary? Answer, several reasons:
- Threat and Risk Assessments have demonstrated the reality of a threat from non-metal weapons such as ceramic weapons and plastic explosives
- Most complaints in relation to airline security come from travellers who have received a pat down feeling harassed, even sexually harassed
- Some travellers prefer the WBI to the pat down for religious or other personal reasons – this offers them a choice
- The WBI takes half the time of the pat down
Our second question to CATSA then was how is the invasive measure proportionate to the objectives of safety and efficiency?
- The measure is exclusively in cases of secondary search, thus of exceptional nature.
- The image is never retained, in fact immediately deleted and does not reveal anymore than is necessary to establish the presence or not of prohibited substances.
Thirdly, we challenged CATSA on effectiveness issues since that had been brought out in the report on the pilot project in Kelowna, for example, not seeing the hand and feet of tall travellers. CATSA explained that all effectiveness issues had been addressed.
Finally, we asked about the less intrusive alternative, and that is where we felt the matter was closed: WBI is strictly optional. No one who does not want to go through it will be made go through it. Travellers would have a choice, however unsavoury the options are: if they are sent to secondary search, the have a choice between the pat down or the WBI scanner.
In short, we were satisfied that the introduction of the scanners is based on a real, rigorously assessed threat to security and that they are left to the choice of the travellers, according to how they wish to protect their relative privacy in the context of airline security.
2.3 Bills C-46 and C-47
In the next example I wish to share with you on the application of the four part test, we remain to be convinced. I am referring to the police and national security powers sought in Bills C-46 and C-47. Let me focus on section 16 of C-47 where the integration of privacy and security particularly come to a head.
Section 16 currently provides that designated officers of a national security or law enforcement agency, never more than 5% of the total number of employees of that agency, could obtain, through a request in writing, from an Internet service provider, a name address, telephone number and other personal information of an Internet user behind an Internet address, for whatever reason, without restriction.
The Bill also provides for internal audits of these written requests but there is no further authorization before the fact: for whatever reason, an officer may compel an Internet service provider to reveal all personal information related to an IP address.
Since the tabling of the Bill last June, we have been consulting with experts from law enforcement and national security agencies, with academics, with representatives from telecoms and from civil society. Yet, the questions of the four part test remain unanswered.
Firstly, why is it necessary to provide law enforcement and national security authorities such broad powers to breach privacy on the Internet? Why is obtaining personal information from an ISP not subject to a judicial warrant?
We got a few unsatisfactory answers:
- Police argue they do not always have the time for a warrant in the case of immediate danger. Our answer is that there are judges available 24/7, warrants can be obtained very quickly and emergency warrants provide for acting in an emergency and then subjecting it to judicial authorization. The deficiencies of the current system remain to be demonstrated.
- Police also argue they need such powers for situations for which there is not such thing as a warrant – for example to find a missing person: If the police wants to have additional powers to find a missing person via the Internet, and that need is demonstrated, why not look at creating a new warrant for that?
At this point, the argument for necessity has not yet been made.
Secondly, even if a need was demonstrated for such power for the authorities to get personal information behind an IP address without a warrant – how is the measure proportionate to the need? Section 16 does not limit the powers to emergencies, life or death situations – it is wide open. And the case has not been made for this extent of powers to obtain personal information without judicial authorization.
One way to meet proportionality, would be to limit the powers envisaged in C-47 to certain situations only where time is of the essence: For example, imminent danger of harm. But even then, we would recommend ex post facto judicial approval
Thirdly, even if the measures were justified, the law enforcement and national security authorities would have to demonstrate their effectiveness. More information does not mean greater security. In fact more information can undermine the effectiveness of security measures: Consider this:
- Does more personal information not constitute an additional challenge for safety authorities to manage, to sift through, to interpret?
- Is it not more important to have relevant information through a streamlined disciplined process for collection, than to have a mountain of information relevant and irrelevant?
- Does it not create an additional challenge for assurance of accuracy of information to have vast amounts of information?
The alternative to such powers, which is the last question from the four part test, would then be this: couldn’t the current judicial warrant system be revisited, if indeed it does not meet the needs of the law enforcement and national security agencies in the era of the Internet? Couldn’t we add flexibility to provide more nimble, quicker judicial authorization if indeed the agencies demonstrate that they need quicker access to personal information on the Internet to fight crime and terrorism?
We recognise the challenges of safety authorities in the face of the new modalities of crime and terrorism. We feel the four part test provides a framework for the integration of privacy and security:
- Necessity to obtain IP information without a warrant has to be demonstrated – if it is, the powers are legitimate. Our point is, that necessity has not been demonstrated.
- Proportionality would be ensured through the limitation of powers to precisely what is necessary to ensure security - that means identifying the situations where authorities would have no choice, to be effective, to obtain IP information without a warrant. At this point, that case has not been made since the proposed Bill does not limit the scope of the powers sought.
- Effectiveness would be demonstrated with the same data that would support the arguments of necessity and proportionality – the same data that is missing: why do law enforcement and national security authorities need such wide powers to ensure security?
- Finally, is there a less intrusive alternative – and that would be the exploration of possible amendments to the judicial warrant system to make it more responsive to the challenges law enforcement and national security authorities face in the world on the Internet.
- My point is – again – privacy and security are not in opposition. They have to work together for mutual reinforcement. I believe the example of the CATSA scanners, illustrates that.
I hope to have illustrated for you how privacy and security are not at odds but, rather, complementary to each other.
Remember that we are all in the same business: we want to protect the society we live in. That means protecting both the individuals’ safety and their freedoms. That is the society we have chosen to live in, and it is our common objective to protect it.
- Date modified: