By Tamir Israel
November 28, 2011
Guest Blog: CIPPIC tech lawyer Tamir Israel debunks government myths on online spying
It must also be pointed out that this legislation is not about so-called “serious crimes”, as is implied in Letter B. As last introduced, the Lawful Access package included three bills: C-50, C-51 and C-52. Of these, non-controversial C-50 (entitled the “Improving Access to Investigative Tools for Serious Crimes Act”), provided new powers exclusively reserved for investigations of serious crimes such as disturbing child pornography. Former bills C-51 and C-52, where all the truly invasive new powers are introduced, are not limited in any way. These powers can be used for investigations as minor as traffic violations if the officer wielding them chooses to employ them for that objective.
Additionally, the general principle that police should have “the tools they need to do their job” (Letter B) in a technologically developed world is not in dispute. Elements of this legislation aspire to do this in a targeted manner. Preservation orders, for example, will provide police with an expedited process to ensure suspected electronic evidence such as text messages or emails is not deleted before a police investigation has had time to gather enough evidence for a warrant. While there may be issues with the specific implementation of these preservation orders as set out, they are not objectionable in principle as they aim to address a true ‘need’ in the online environment.
These are not the changes Canadians should be concerned about, and where legitimate police needs for new tools are mentioned out of context, without reference to the invasive elements of the bills, this creates the misleading impression that the online spying legislation does nothing beyond the application of existing powers to new technologies. Canada’s Privacy Commissioners collectively noted that this is not the case:
While we understand the need for law enforcement and national security agencies to function effectively in the context of new information technologies, in our view, it would be misleading to suggest that these bills will simply maintain capacity. Taken together, the proposed changes and new powers add significant new capabilities for investigators to track and search and seize digital information about individuals.
Aside from these more general dismissals of concern, some specific and substantive concerns are mentioned in the MP response letters (samples can be found below for reference). It is worth examining each of these in closer detail.
“The need to respect a person’s reasonable expectation of privacy, as protected under the Charter, always guides law reform.” [Letter A]
While no government law is capable of overriding Canadians’ Charter rights, there is a difference between passing legislation that takes this fact for granted and legislation that respects Canadians’ rights. Our Courts will eventually decide whether to throw out or preserve some of the more invasive elements of the proposed legislation, but the Charter is intended to provide a ceiling for privacy invasions, not a ‘target’. Respect for the rights it enshrines means invading these rights minimally and only in ways carefully targeted to address specific problems. Our federal Privacy Commissioner made this point in an open letter to Public Safety Minister Vic Toews:
Canadians expect their government to respect their fundamental rights and freedoms. Your government has made firm and repeated commitments to the importance of privacy. Consequently, when new surveillance powers are proposed in law, the burden of proof is with government to demonstrate the necessity, legal proportionality and practical effectiveness of these new powers. The government must also be prepared to demonstrate how the model it is proposing is the least privacy-invasive alternative possible.
The proposed online spying legislation does not provide such a targeted, minimally intrusive response. The government is pushing the boundaries of privacy rights to their limits, opting for lower safeguards at numerous steps of the investigation chain. This allows for ‘bootstrapping’—a layering of privacy invasions that reduces safeguards and standards at various steps of the investigative process and amounts to an overall invasion that exceeds the sum of its parts. The legislation is carefully designed to allow for this.
As justification for this general increase in surveillance capacity, the government points to no evidence of need, but only a general notion that technology has evolved and so should surveillance powers. There are few indications of how these surveillance powers are minimally tailored to meet actual problems posed by technologies. Indeed, there is cause to suspect that these new powers will not help surveille technologically astute criminals, who will mask and encrypt their communications, leaving innocent and unwary Canadians as the most likely victims of its sweeping powers.
“In addition, such authority will continue to be exercised bearing in mind privacy rights under other legislation, such as the Privacy Act and the Personal Information Protection and Electronic Documents Act.” [Letter A]
As far as assurances go, this claim is difficult to understand. The Personal Information Protection and Electronic Documents Act (PIPEDA), which protects the privacy rights of Canadians against private companies such as ISPs, already includes very broad exceptions for whenever such companies are asked to comply with police. The government recently reintroduced Bill C-12 (formerly Bill C-29), which will remove any possible protections PIPEDA may offer Canadians in scenarios where their online service providers are asked to hand over any personal customer information in their possession (see Clauses 6 an 12).
References to the Privacy Act as an instrument capable of protecting Canadians’ rights in a technologically advanced era are equally baffling. As with PIPEDA, the Privacy Act includes gaping exceptions for information exchanges with law enforcement (see section 8(2)). More to the point, this Act was passed at a time when the World Wide Web was but a twinkle in Sir Tim Berners-Lee’s eye, and “before the development of technologies for data matching, biometrics…portable electronics, surveillance, video surveillance, and GPS”. It provides scant protection for the ways new technologies are already being mobilized by law enforcement to spy on Canadians.
The government appears quite eager to update privacy invasive powers to meet perceived technological challenges, but less so where specific privacy protections are threatened. In 2009, when called upon to bring the Privacy Act into the 21st century as part of the aging statute’s mandatory five year review, the government refused. Then, as now, the government pointed to the Charter as sufficient protection. Then, as now, the government demonstrated little concern for Canadians’ privacy.
“Police will still be required to obtain judicial authorizations in order to obtain information under our legislation.
“Law enforcement agencies cannot intercept private communications or obtain transmission data without being authorized to do so by law.” [Letter A]
This legislation does not grant police the power to intercept private communications or transmission data without a warrant. It also does not allow police to place remote cameras in Canadians’ homes, but that does not make the invasions it does contemplate any more acceptable. What it does do is provide the power to collect identification information—including IP addresses, email addresses, mobile device identifiers, and names of anonymous account or device owners—without a warrant and in scenarios where the police do not even have a reason to suspect the information will assist in an investigation.
The government has attempted to downplay the gravity of disclosing Internet ‘subscriber information’. This substance of this view is epitomized in the following response from a member of Parliament to a constituent (Letter B):
I would like to reassure you that the outrageous claims that private communications will be intercepted without a warrant [are] a complete fabrication. Our proposed approach of linking an internet address to subscriber information is on par with the phone book linking phone numbers to an address.
This perspective exposes a view that is dangerously out of touch with the realities of online activity. The identifiers in question inherently reveal significantly more information than information found in a phone book. More to the point, an assessment of these identifiers cannot be taken out of context as in Letter B. While most people’s names and home addresses are surely available in the phone book, the disclosure of these will typically reveal no more than the fact that individual A lives in location B. Online, identifiers such as those to which the police will soon be given ‘upon request’ access will be linked to far more sensitive information. When police seek so-called subscriber information, they are not merely trying to identify to which ISP a customer subscribes. They are linking this information to sensitive, otherwise anonymous activity. The Ontario Information and Privacy Commissioner recently made this point saliently:
The public does not have access to this information, nor should they - it goes far beyond address and phone number. Consider just one of the new threats to our fundamental freedoms: police could force telecoms to provide the name, address and unique device number of people (enabling online tracking) who posted comments on newspapers' websites under pseudonyms - without a warrant, without explanation and in secret. This should only be accessible through a court ordered, judicial warrant. This is unacceptable: 88 pages of new powers, without matching judicial safeguards.
As pointed out by NDP critics yet another open letter on this topic, providing warrantless access to mobile device identifiers raises concerns of mass tracking of Canadians real life activities. These device identifiers are built into most cellular phones, and can be collected with devices called Stingrays. Such devices, already in common use by law enforcement (and even malls!) in other jurisdictions will provide police with the location of any cell phone IMEI number at any time. In isolation, this will only yield a mostly meaningless string of numbers. However, under the current regime, police will need a warrant to identify the anonymous individuals attached to these numbers. Under the government’s proposed regime, police will be able to make this link ‘upon request’, opening the door to mass surveillance of Canadians’ movements without any oversight.
The identifiers , once attached to a real name, “will become the means by which a biographical core of personal information is assembled.” They will be the building blocks of detailed profiles on Canadians’ activities, interactions, and expression—hardly on par with an entry in a phone book.
“None of the lawful access tools in this legislation will reduce existing privacy safeguards such as warrants, court orders, and other judicial authorizations...”
The investigative tools created in this legislation preserve existing safeguards, such as requirements for warrants, court authorizations or other lawful authority to target specified communications. These investigative tools are time-limited, and nothing put forward in the proposed legislation would reduce the existing safeguards. Notably, the legislation will also enhance privacy protections in the current tracking warrant provisions.” [Letter A]
Aside from warrantless access to some online identifiers, the legislation allows certain information (such as transmission data and some tracking data) to be acquired at a lower standard than that typically used to protect Canadians’ privacy. With respect to tracking warrants, the legislation will offer standard protection for tracking devices placed on individuals. The utility of such devices, however, appears to be rapidly disappearing as individuals increasingly carry GPS enabled smartphones that transmit their location to their third party service providers. The legislation provides reduced safeguards that will allow police to get this GPS data directly from such third parties with greater ease. Of course, if police are provided warrantless access to mobile device identifiers, as indicated above, such tracking data may rapidly become altogether redundant.
Under the new, lower standards, law enforcement will only need to raise generalized suspicions before being granted access to often sensitive information on Canadians. Moreover, the overall thrust of the legislation is to reduce safeguards for information collection at various stages of the investigative chain. Police will acquire online identifiers without the need for a warrant. They can then use this information to raise ‘general suspicions’ in order to gain even more information. These types of broad, open-ended powers facilitate and encourage fishing expeditions and mass surveillance. More innocent Canadians are likely to be caught in this new spying apparatus than has ever been the case before and all without justification or demonstrable need.
The online spying legislation also leaves gaping holes in the auditing regime it attempts to put in place to monitor these new powers. It envisions gag orders that may prevent individuals from knowing they have been spied upon. It places open-ended obligations for ISPs to update their technologies. It pushes online service providers to voluntarily hand over even more private data of customers to law enforcement by providing them with criminal and civil immunity for doing so. It could impose heavy costs on all ISPs (meaning customers will have to pay), with disproportionate impact on indie ISP competition.
Minimal fixes include: strong and enforceable independent audit/oversight powers, rollback of immunities for voluntary spying by private companies, and removal of warrantless disclosures, higher standards for access to sensitive information, and sunset clauses to study future impact of the legislation.
Overall, as last presented, the online spying bills present a serious erosion of privacy for Canadians. The legislation would need dramatic reforms before its reintroduction if it were to truly strike the appropriate balance between legitimate law enforcement needs and privacy rights of Canadians. To argue otherwise is to present constituents with false hopes and expectations.
Letters from MPs to pro-Internet community members
Our Government is strongly committed to ensuring that Canadians’ rights under the Canadian Charter of Rights and Freedoms are respected.
The new lawful access tools proposed in our legislation will not derogate from existing safeguards and privacy protections. The need to respect a person’s reasonable expectation of privacy, as protected under the Charter, always guides law reform.
In addition, such authority will continue to be exercised bearing in mind privacy rights under other legislation, such as the Privacy Act and the Personal Information Protection and Electronic Documents Act.
Police will still be required to obtain judicial authorizations in order to obtain information under our legislation. None of the lawful access tools in this legislation will reduce existing privacy safeguards such as warrants, court orders, and other judicial authorizations.
Law enforcement agencies cannot intercept private communications or obtain transmission data without being authorized to do so by law. The investigative tools created in this legislation preserve existing safeguards, such as requirements for warrants, court authorizations or other lawful authority to target specified communications. These investigative tools are time-limited, and nothing put forward in the proposed legislation would reduce the existing safeguards. Notably, the legislation will also enhance privacy protections in the current tracking warrant provisions.
Dear Mr. ___________,
Thank you for your email of October 5th concerning internet privacy.
As technology evolves, many criminal activities – such as the distribution of child pornography - become much easier. We are proposing measures to bring our laws into the 21st Century and provide police with the tools they need to do their job.
On the issue of privacy, our approach strikes an appropriate balance between the investigative powers used to protect public safety and the necessity to safeguard the privacy of Canadians.
I would like to reassure you that the outrageous claims that private communications will be intercepted without a warrant is a complete fabrication. Our proposed approach of linking an internet address to subscriber information is on par with the phone book linking phone numbers to an address.
What this will NOT allow for is access to private communications without a warrant.
That being said, our message is clear: if you use technology to commit crimes – such as distributing child pornography – the police will apprehend you and you will be punished to the full extent of the law.
Good afternoon _________:
Thank you for your email regarding Lawful Access bills. I appreciate your comments and welcome the opportunity to respond.
In Bill C-10, the omnibus crime bill that is currently before Parliament, there are no provisions for changing the Lawful Access laws in Canada. Former bills C-50, C-51, and C-52 are not included in the omnibus crime legislation.
I trust that this has addressed your concerns.
Thank you for taking the time to write.