The Bill C-51 Anti-Terror law debate has been contentious and ranging, yet few commentators have drawn on experience or expert voices elsewhere to understand its implications.

Bruce Schneier is one such voice. A security professional and technologist, he’s one of the most authoritative and knowledgeable voices on security and privacy today; a ”œsecurity guru” in the words of The Economist. Fortunately for Canadians, he has an excellent new book out entitled Data and Goliath: The Hidden Battles to Capture Your Data and Control Your World, which tackles many of the technical, legal, and policy issues arising due to government and corporate data gathering and surveillance, and other actions of security agencies.

Though Schneier’s book is most useful for scrutinizing the activities of Canada’s signal intelligence agency CSE (our NSA, if you will)" whose ”œcyberwarfare” toolbox was recently unveiled thanks to Edward Snowden Leaks" it also offers important insights for government security practices more broadly, including Bill C-51, which will dramatically expand the powers of the Canada’s spy service CSIS.

In the interests of full disclosure, I should say that I know Bruce through my time at Harvard’s Berkman Center for Internet and Society, where we were colleagues (I was previously a Fellow and am now a Research Affiliate there). Colleague or not, however, ”œData and Goliath” has something to say about Canada’s present Anti-Terror law debate.

Canadian experts and commentators have offered powerful critiques of Bill C-51, such as the Citizen Lab’s Professor Ron Deibert and Policy Options contributors Dean Lorne Sossin and Professor Kent Roach, the latter of whom has led the charge with Professor Craig Forcese in explaining the Bill and its troubling implications, particularly risk that many of the new powers conferred on CSIS are couched in very broad and vague language and may easily lead to abuses to the rights of Canadians.

In response, the Government has announced plans for minor amendments to the Bill, to address a few instances of overly broad language. Most notably, it is clarifying language in the law that previously suggested “unlawful” protests or dissent may constitute a threat to Canada’s security. They are also reigning in previously “unlimited” government sharing of peoples’ personal information under the Bill, and are clarifying that CSIS will not be able to arrest people under its new “disruption” powers. While these changes are a help, a vast majority of the Bill’s problem provisions remain" from the new powers of ”œpreventative detention” (with few rules concerning how detentions are conducted), to the vague new provision criminalizing terrorism-related speech, to the new, but still secret, judicial proceedings to authorize CSIS to “breach” Charter rights. These all remain. And CSIS’ power to ”œdisrupt”, even if amended, is still too vague, allowing for a range of troubling actions short of arrest, like physically confronting targets, disturbing property, or interfering with other government actors. In short, there is ample room for the rights and interests of Canadians to be flouted or infringed.

Beyond this recently announced handful of amendments, the Government, and its supporters, have responded to criticism in primarily two ways. First, Canadians should trust the ”œprofessionalism” of CSIS to use these new powers ”œsparingly if at all”, because these powers are so ”œcontroversial” their misuse would bring CSIS’ legitimacy ”œinto question”. Second, that even if there are abuses, there is adequate oversight to catch them. ”œWe already have a rigorous system of oversight on our national security police agency,” the Prime Minister has stated, ”œIt functions very well.”

These responses are weak and misleading. Three insights Schneier’s new book help illustrate why.

First, security agencies like CSIS employ a maximalist operational philosophy. There’s a great quote that Schneier cites from former NSA director Michael Hayden that illustrates this point: ”œGive me the box you will allow me to operate in. I’m going to play to the very edges of that box… You the American people, through your elected representatives, give me the field of play and I will play very aggressively in it.” Security agencies are not incrementalists. They aggressively interpret their legal and intelligence gathering powers, take advantage of grey areas in the law, and push the boundaries in order to achieve their security and intelligence objective.

Even with the limited oversight we have concerning CSIS’ secretive operations, it appears the agency takes an equally aggressive approach. Justice John Major, in the Air India Tragedy Commission Final Report, found CSIS took an ”œexpansive view” of its mandate. More recently, CSIS’ own Inspector General (an office that the Government eliminated in 2012) reported that the agency regularly flouted its own rules and policies. And in one of the few court rulings concerning CSIS’ clandestine activities made public (at least in part), Justice Richard Mosley essentially found CSIS had misrepresented its activities to the Court in order to circumvent legal restrictions on its co-operation with other foreign spy services.

CSE, which assists CSIS with foreign intelligence gathering, also acts aggressively, exploiting uncertainty about the legal status of metadata (that is, data about data) by ”œincidentally” collecting troves of it on Canadians’ communications, conducting ”œtradecraft” field tests involving tracking, analyzing, and correlating public WIFI traffic data, or tracking and analyzing millions of downloads online daily for suspicious activities. These are not the activities of restrained or reserved security agencies. (For more on CSE’s activities see discussions here and here by my Citizen Lab colleagues Professor Ron Deibert and Christopher Parsons)

Ironically, the ”œprofessionalism” that Professor Christian Leuprecht cites in defense of Bill C-51 is precisely why the Bill is a problem. The professional culture of security agencies is not restraint" it is to ”œplay to the very edges” of the legal rules imposed on them. And the legal rules in Bill C-51 are so vague and broad, the ”œedge” so uncertain, abuses are not only possible, but probable. Or, as a former CSIS agent has put it, ”œ[i]t’s not if it will happen. It’s when.”

A second observation from Schneier concerns oversight, one of the most contentious issues surrounding Bill C-51. For Schneier, no matter whatever form it takes, oversight is useless without transparency. Critics like NDP leader Tom Mulcair and Liberal leader Justin Trudeau, for example, have argued for U.S. or U.K. style oversight to be incorporated in the Bill. Yet, while the Security Intelligence Review Committee (SIRC), with its underfunded after-the-fact ”œsnapshot” reviews of CSIS activities, is so weak it cannot seriously be considered ”œoversight”, American and British approaches are not models to follow. Why? They lack transparency.

With either oversight by elected officials or tactical oversight by courts, so long as these mechanism remain secret with little transparency and accountability, neither will be effective for the same reason. In both situations, the information that judges and elected officials rely on to make their decisions is supplied by the spy agencies themselves.

In the U.S., with Congressional oversight, Schneier documents several cases where security officials misled Committee members. In secretive judicial proceedings" one of the few mechanisms presently used for independent operational oversight of CSIS activities" it is similarly difficult for courts to ensure rules are followed, given their traditional passive role and the fact that information is supplied by government. Schneier also details in his book how recently declassified FISA Court opinions" the judicial body overseeing U.S. surveillance" suggested security officials were gaming the system, that is, making misrepresentations to the court and, in Schneier terms, ”œregularly exceeded its legal authorizations”. Troublingly similar, is the finding of Justice Richard Mosley, mentioned earlier, which found CSIS had misrepresented its activities and breached its duty of candour to the Court. Oversight in Canada, whether through Parliament or courts, if maintained in secret is set up to fail.

Some form of ongoing oversight, with strong independence from government, is warranted. On this count, I would certainly support recent calls to strengthen the mandate and budget of SIRC, but only if the SIRC Chair is treated more like an Officer of Parliament" a permanent and long term appointment with a budget and staff similar to the Auditor General" with appointees also having the requisite expertise and experience. Not to second guess current or previous SIRC appointees, but just as no one would appoint a politician with no prior professional expertise as Auditor General; the same should be said of a body as important as SIRC.

But even that is not enough because, again, SIRC only provides a review function. Tactical, or operational, oversight is required. This would likely require some major institutional or legislative changes, but an initial step would be to reinstate the Inspector General office within CSIS; as Dean Sossin has pointed out, this would at least provide some internal mechanism for accountability. We must avoid, as Professor Deibert aptly put, ”œentrenching 1950s-era oversight of a 21st century security service machine.”

This leads to a final important observation from Schneier" governments do not reform themselves. Once large-scale legislative schemes like Bill C-51, with new powers and capabilities in passed, the bureaucratic and institutional inertia within Government will be to not only retain those powers, expand them again, over time. This has certainly happened in Canada, with CSIS’ powers increasing after 9/11 and dramatically increasing again if Bill C-51 is passed, which is very likely. That means, Bill C-51 must have some concrete mechanisms built in reverse that inertia. One way to do that is through sunset clauses, like those suggested by Professors Roach and Forcese, which would require a positive legislative step to extend the new powers in C-51 at some fixed time in the future. This is important, because it would be one way to ensure a proper Parliamentary debate on point.

But sunset clauses are also imperfect. If Bill C-51 is addressed before the sunset period expires, the powers can be made permanent without any further review. Another problem, is when the “sunset” period is due to be addressed, a Government with a majority can shut down full and proper Parliamentary debate and committee review, leaving Canadians still in the dark. So, more steps are needed to ensure broader scrutiny and resist government inertia. One way, would be to include a statutory requirement for a comprehensive review of CSIS’ use of Bill C-51 powers every four or five years, to be conducted by SIRC, and with a full report presented to Parliament. Just another safeguard to ensure Government, and CSIS, would face a serious scrutiny in the light of day.

Some may scoff at suggestions here, articulated through the American experience, as impossible given the Government’s intransigence. Yet, its recently announced plan for amendments, albeit minor ones, suggests at least an inkling of flexibility. Perhaps the Government can be moved further? “Fatalism”, implores Schneier, “is the enemy of change”. Indeed. So, let the debate go on.

Photo by Sally T. Buck / CC BY-NC 2.0 / modified from original