canadian!civil!liberties!association · orbythirdparties,includingcorpor...
TRANSCRIPT
1
CANADIAN CIVIL LIBERTIES ASSOCIATION
Submissions to the Senate Standing Committee on Social Affairs, Science and Technology regarding Bill C-‐59, An Act to Implement Certain Provisions of the Budget Tabled in Parliament on April 21, 2015 and Other Measures (Economic Action Plan 2015 Act, No. 1) – Hearings on Division 15 and amendments to the Immigration and Refugee Protection Act
May 29, 2015
Sukanya Pillay, General Counsel and Executive Director Brenda McPhail, Privacy, Technology and Surveillance Project Director Canadian Civil Liberties Association 215 Spadina Ave., Suite 210 Toronto, ON M5T 2C7 Phone: 416-‐363-‐0321 ext 256 www.ccla.org Contact: [email protected] or [email protected]
2
Canadian Civil Liberties Association (CCLA)
The Canadian Civil Liberties Association (CCLA) is a national, non-‐profit, non-‐partisan and non-‐governmental organization supported by thousands of individuals and organizations from all walks of life. CCLA was constituted in 1964 to promote respect for and observance of fundamental human rights and civil liberties and to defend and foster the recognition of those rights and liberties. CCLA’s major objectives include the promotion and legal protection of individual freedom and dignity. For over 50 years, CCLA has worked to advance rights, freedoms and justice throughout Canada, regularly appearing before legislative bodies and all levels of court.
We thank the Senate Standing Committee on Social Affairs, Science and Technology, for the opportunity to appear before you this morning by video-‐conference, and to provide the Committee with these written submissions, in order to outline our position on the privacy rights protections and protocols which must be in place regarding Division 15 of Bill C-‐59.
A. Overview of Concerns
Bill C-‐59 Division 15 of Part 3, amends the Immigration and Refugee Protection Act (“IRPA”) to expand the use of biometrics regarding applications, claims and requests made under IRPA, and authorizes the Ministers of Public Safety and Citizenship and Immigration, to require electronic filings, and provides for automated decisions.
Specifically, Division 15 Part 3 amends the IRPA as follows:
10.01 A person who makes a claim, application or request under this Act must follow the procedures set out in the regulations for the collection and verification of biometric information, including procedures for the collection of further biometric information for verification purposes after a person’s claim, application or request is allowed or accepted.
And in Part 4.1, section 186.1,
(1) The Minister may administer this Act using electronic means, including as it relates to enforcement….
(5) For greater certainty, an electronic system, including an automated system, may be used by the Minister to make a decision or determination under this Act, or by an officer to make a decision or determination or to proceed with examination under this Act, if the system is made available to the officer by the Minister.
3
CCLA has concerns in relation to the expansion of the use of biometrics as part of the Immigration and Refugee process, and in relation to the electronic administration of the Act.
B) Expanded use of Biometrics in the IRPA
The Canadian Civil Liberties Association has frequently iterated its support of Canada’s duty to protect public safety and national security. In this regard, CCLA understands that biometrics can be an exceptionally useful tool in authenticating identity, which is clearly necessary in the immigration and refugee process both at Canadian borders and in the process of vetting and assessing applications and claims that arise in the immigration and refugee context inside and outside of Canada.
We further acknowledge that the use of biometric identifiers is widespread across a range of international jurisdictions. We note, however, that in democratic nations of the Global North, biometrics are typically deemed to be sensitive, highly personal data that requires significant protection to ensure that it is used appropriately, with adequate safeguards and security precautions.
While we do not dispute the utility of biometrics and the potential for their use to enhance public safety, we wish to alert this Committee to the concomitant potential for biometrics to be abused, for reliability concerns, and privacy concerns. Specifically, it is our view that privacy concerns must be considered from the outset, and in tandem, with any new legislation expanding biometrics operations in Canada. The use of biometrics in the sphere of immigrants and refugees has its own particulars that must also be considered from a privacy and equality rights perspective. Public safety is also a key objective of the CCLA, and our research has demonstrated that public safety is best and most effectively protected when civil liberties and fundamental freedoms – and in this context, privacy rights in particular – are protected and upheld. Public safety and privacy rights are not competing goals, but rather concomitant, complementary goals that work together to enhance the security of Canada.
(i) Risks Inherent in Biometrics
Biometrics raise particular privacy concerns because of their inherent characteristics. If the risks and privacy concerns are not properly addressed from the outset, the potential strengths and utility of biometrics uses can be undermined, and can also create additional problems that will have a broader impact on public safety and democracy, beyond even the immigration and refugee context.
4
Risk of Error
At the time of writing, facial recognition, fingerprint scanning, hand geometry, and even voice recognition are biometrics which can be captured. Biometrics can be useful in authenticating a person’s identity at a border. Such authentication can be accomplished by comparing, for example, an iris scan or a fingerprint, with the biometrics previously captured and associated with the individual in question. However, no biometrics system is perfect. Facial recognition systems and fingerprint scanning systems are subject to errors, both through false positives, where matches are incorrectly detected in the data, and false negatives, where two scans from the same individual are incorrectly deemed not to match. While fingerprint systems under ideal conditions (high quality scans, multiple fingers) do have a very high accuracy rate (above 99%, according to a study by the USA National Institute of Standards and Technology)[1], there is still a small chance for error. Facial recognition systems are less accurate; the same standards body in a 2014 study found that the best algorithm, under the best circumstances (high quality photographs in a one to many matching situation) had a 4.1% error rate.[2] While these numbers are relatively small, the consequences of errors for individuals may be significant. This makes it crucial that a documented process is instituted in conjunction with a biometric identification system, to provide a fair and reasonable appeal process if there is a dispute about the decision on admissibility in relation to an immigration or refugee application on the grounds that there are inaccuracies in the system.
Privacy Concerns
The capabilities of evolving technologies, including biometrics, must not so dazzle us that we fail to heed the privacy concerns that have long been in entrenched in our democratic society, and our abilities to forge the shape and evolution of our society going forward. The Supreme Court of Canada in R v Dyment ([1988] 2 S.C.R. 417), a case involving DNA extraction, recognized that privacy lies at the heart of a democratic society. Privacy rights, situated in the Canadian Charter of Right and Freedoms’ section 8 right to be free from unreasonable search and seizure, are part of our societal makeup and are a key concern in criminal law cases involving searches or seizures of DNA and blood samples, as well as searches of personal property, computers and cellphones. The CCLA has intervened in significant number of these cases, including before the Supreme Court of Canada.
The CCLA has long argued for the privacy principals of necessity, proportionality, and minimal impairment. Strict privacy protocols around informed consent for collection, storage, access, dissemination, use–including secondary uses and unwanted uses (‘mission
5
creep’) –and destruction must be in place with respect to the collection of any personal identifying information. This is particularly relevant in the case of biometrics which reveal highly sensitive personal information that can be stored and shared broadly domestically and internationally, among government agencies, and with private actors.
Existing multilateral and bilateral treaties between Canada and other States underscore the potential for sensitive biometric information to be accessed, and employed in uses beyond legitimate purposes of border security. As such privacy protocols must be in place. The provisions in Bill C-‐59 further highlight the need to consider the access and widespread sharing and uses of biometric information captured for border security. In this regard, storage and access are particularly important – centralized databases can be accessed by not only domestic government departments, agencies and private actors, but also by international actors. Furthermore, while access and the risks of “hackers” are a risk with any database, the harms of accessing biometric information are far greater to individuals whose biometric information is compromised. The risks of compromised biometric information are also far greater to a free and democratic society that has not consented to allowing the constant and real-‐time movements of individuals to be recorded by the State – the existing facial recognition technologies and biometrics technologies that can track and identify physical movements and even an individual’s gait, combined with the tracking devices of modern society such as cellphones and GPS, make such surveillance a calm and stark reality. Furthermore, the temptation for powers to access biometric information for secondary and unjustified uses is no surprise to democratic societies that are verily predicated on principles of transparency and accountability; in this vein, our democratic rights and values regarding privacy and our rejection of mass intrusions and mass surveillance in public spheres must be reconciled with the uses and unintended uses availed by biometrics.
Examples of foreseeable, secondary uses can include tracking of individuals whose facial biometrics are stored in a central database through public and private sector surveillance cameras. Unjustifiable secondary uses also include tracking and surveillance by the state or by third parties, including corporate actors for marketing purposes, in a manner that does not accord with human rights and privacy principles discussed above.
(ii) Biometrics and the IRPA
Biometric systems use the intrinsic physical characteristics of people to identify, or verify the identity, of individuals. It is our understanding that current biometrics collected under the IRPA includes fingerprints, and image data for facial recognition processing. We also understand that under Division 0.01, 10.02 (c) regulations may alter those biometrics
6
collected and that additional biometrics may be collected at a future time. We will, however, confine our subsequent comments to those identifiers currently in use.
A fingerprint is typically stable over time, and highly distinctive, making it a potentially robust identifier. Facial recognition is slightly less stable, as the human face changes over time, particularly in relation to age and weight loss or gain, and possibly surgery. However, both biometrics are definitively linked to individual bodies. The privacy challenges associated with biometric data thus requires careful consideration in order to manage their unique risks. Although biometrics are personal information about identifiable individuals, and therefore their use by the federal government falls under the provisions of the Privacy Act, Canada currently has no minimum standards for privacy, risk mitigation or public transparency.1 CCLA supports the Office of the Privacy Commissioner of Canada’s recommendation that privacy concerns be taken into account at the initiation of any program, and particularly a biometrics program. Further, while we are encouraged that there have been, and will be, privacy impact assessments (PIAs) conducted on these programs, we note that previous PIAs conducted on the more limited use of biometric data currently in place for immigration purposes did identify risks requiring mitigation. As such, we are concerned that Bill C-‐59 provides greater roll out of biometrics use without properly addressing the risks already identified.
Because biometric data is linked to individual bodies, it cannot be revoked or reissued in case of theft or fraud—each individual has only one set of fingerprints, and one face, which in normal circumstances cannot be replaced. This makes it extremely sensitive. Large, standardized collections of biometrics are highly attractive targets for hackers and identity thieves. Expanding the range of applicants who are required to submit biometric data means expanding the size of the database(s) in which it is stored, and the subsequent risks that must be managed. Best practice for security for such data should restrict or prohibit the collation of different types of data within a single database, in order to prevent the acquisition of multiple biometrics stored about individuals in the event of a breach. While CCLA has every confidence that information security will be taken seriously in this context, it is nonetheless the case that there is no such thing as an “un-‐hackable” database, making it particularly important that every relevant and possible precaution be taken to minimize the risk of data exposure if security should be maliciously compromised. While specific information that would compromise security must obviously remain confidential, the existence of appropriate safeguards should be provided publicly to reassure Canadians that this program is fully and effectively compliant with best practices in relation to security of vulnerable and sensitive data.
1 Office of the Privacy Commissioner of Canada, “Data at your Fingertips,” Available: https://www.priv.gc.ca/information/pub/gd_bio_201102_e.asp
7
For example, Division 0.01, 10.02 (e) of the suggested amendments to the Act indicates that regulations may include provisions for “the processing of the collected biometric information, including the creation of biometric templates or the conversion of the information into digital biometric formats”; if templates are used to extract and record information about only specific key features of the print, and particularly if the templates used are unique to the specific purpose, this can assist in protecting the privacy of this highly sensitive information. It is unclear from the Bill the extent to which the use of templates might eventually be instituted via regulation, but their use would be another best practice for security, as well as aiding in the prevention of unauthorized or inappropriate data matching.
Unrestricted sharing of biometric data is another significant privacy risk. A unique identifier such as a fingerprint facilitates cross-‐matching across multiple data repositories. While issues of data sharing are not addressed specifically in Division 15 of Bill C-‐59, the information sharing provisions contained in Bill C-‐51, which creates the new Security of Canada Information Sharing Act, makes the issue of the potential sharing of biometric identifiers one that we wish to highlight for the Committee as potentially problematic. It is important to keep in mind that those individuals entering Canada as immigrants are those who are very likely to become valuable, contributing members of Canadian society, while refugees are by definition vulnerable and deserving of our particular attention to protect their rights as they enter Canadian society. Information sharing of biometrics with foreign bodies further increases the privacy risks for individuals, and while it may be necessary in an immigration and refugee context in some circumstances, such sharing should be subject to appropriate safeguards. In particular, privacy best practice means that biometrics should not be used for purposes beyond the initial reason for their collection as part of the immigration/refugee application process.
Furthermore, Canada has recognized the value of immigration and its humanitarian commitments to refugees, both of which are recorded in the preamble to the IRPA as well as elsewhere in international laws. Canada has constitutional legal obligations to uphold equality. Section 15 of the Charter protects against discrimination on grounds which include "nationality" and "place of origin". Accordingly, if privacy protocols on access and uses of biometric information are not identified and upheld, then the potential for discriminatory uses of biometric information of non-‐Canadians is real. Additionally, Canada has binding legal commitments to refugees and asylum seekers in international refugee law, and also set out in section 3(2) of the IRPA, which may be compromised by the access of biometric information of asylum seekers by countries of origin. CCLA respectfully reminds the Committee that asylum-‐seekers are fleeing persecution and seeking asylum in Canada because their country of origin is unable or unwilling to protect them – in these circumstances the collection of biometric information
8
and in turn the potential increase in the ability to locate and track an asylum seeker who is fleeing persecution triggers serious risks not only of privacy but of life and liberty. We would note that many of the questions posed to us during the May 29th Committee Hearing actually related to secondary uses of data, or uses beyond the scope of the Immigration and Refugee process, particularly in relation to policing (i.e. in the domestic sphere of policing the Vancouver hockey riot), that might require information sharing. Data collected to assure the identify of an Immigrant or Refugee person and to assess eligibility for entry to Canada should not be used to create a “second tier” of highly-‐documented individuals whose biometric data becomes accessible and subject to increased scrutiny or possible surveillance simply because they were not born here. If, during what we believe to be the scrupulous and effective immigration entry processes undertaken by the Canadian authorities, an individual is deemed acceptable to live and work in Canada, then they should not be treated with an additional level of suspicion subsequent to their authorized entry to our country.
When increasingly privacy invasive means of identification such as multiple biometrics are deemed necessary, CCLA argues that their use should be accompanied by an appropriate degree of transparency as to the policies that govern their collection and the practices in place to ensure their collection, use, disclosure and retention.
C) Electronic Administration and Automated Decision-‐Making in the IRPA
Bill C-‐59, Division 15, Part 4.1, 186.1 (1) states that:
“The Minister may administer this Act using electronic means, including as it relates to its enforcement,” and section (5) states: For greater certainty, an electronic system, including an automated system, may be used by the Minister to make a decision or determination under this Act, or by an officer to make a decision or determination or to proceed with an examination under this Act, if the system is made available to the officer by the Minister.”
Parliament has indicated in section 3 of IRPA, the Act's objectives to "permit Canada to pursue the maximum social, cultural and economic benefits of immigration"; these objectives may be frustrated by Bill C-‐59’s electronic requirements that can discriminate against those outside Canada without internet access. CCLA is concerned that new requirements for electronic applications may exclude individuals who may due to economic circumstances or local infrastructural failures, be unable to provide such information electronically. It is our view that the Bill C-‐59 should include equality and
9
privacy protections and at a minimum any ensuing regulations must include specific protections.
CCLA is further concerned by the provision for automated decision-‐making regarding temporary and permanent residence applications. What types of decisions might be so automated? How are such decision-‐making systems to be designed, and what are the criteria to be included (or excluded)? At what point might human judgment be introduced into the process? In the case of a dispute or appeal, how might judicial review of automated decision-‐making take place? Will decisions taken as a result of programming and algorithmic calculations take precedence over expert human judgment? Such a significant departure from current, human-‐centred processes that may have such a potentially massive effect on the lives of individuals requires serious, careful consideration. While we welcome this Committee’s willingness to engage in study of this amendment, we feel strongly that automating decision processes for decisions relating to IRPA requires a larger, public discussion and debate. In conclusion, the expansion of the use of biometrics within IRPA, the use of electronically submitted information, and the automated decision making processes for (unspecified) applications under that Act, are substantive issues that raise serious privacy and equality concerns. In fact, their presence in an omnibus budget bill is highly problematic. Such significant and potentially substantive changes to current practice would more appropriately have been considered in a distinct piece of legislation allowing for proper scrutiny and attention, both from Parliament and the public.