Electronic Surveillance - News

  • – 2017-12-08 –

    The Supreme Court of Canada issued its long-awaited decisions in R v Marakah, 2017 SCC 59 and R v Jones, 2017 SCC 60 today, issuing a strong statement on the protection of privacy in digital contexts. The decision held that text messages continue to enjoy constitutional protection even after they are received by their intended recipient, meaning the state cannot bypass constitutional protections simply by directing its search to the recipient's cell phone, social media account or service provider. As CIPPIC argued in its interventions [Marakah, Jones], the decisions being appealed adopted a formalistic approach to concepts such as 'control' and 'access' which apply robustly in the physical world (who controls the data at the time of access, from what location is the data accessed) but have minimal bearing on privacy expectations in digital spaces. By contrast, the majority of the Supreme Court adopted a broad analysis of the privacy interests at stake, with outgoing Chief Justice Beverley McLachlin emphasizing the choice of a private conversation medium (i.e. text messaging) as driving the privacy analysis, concluding that "... privacy in electronic conversations is worthy of constitutional protection. That protection should not be lightly denied." Indeed, as McLachlin, CJ, explains on behalf of the majority in Marakah, the choice of a private messaging medium is, in and of itself, an exercise of effective control, underpinning privacy expectations in electronic messages that extend to their recipient. The choice to engage in a private electronic conversation creates a context where the sender can reasonably expect the messages to remain secure against the eyes of the state.

    Image Credit: Matt Karp, CC-BY-NC-ND 2.0, May 7, 2010, Flickr

  • – 2017-10-23 –

    CIPPIC has helped organize letters from over 40 prominent individuals and organizations supporting Chelsea Manning's legal team in its bid to reverse her refusal of entry into Canada. As CIPPIC points out in its own letter of support, the whistleblowing activities which formed the basis for Ms Manning's sentence in the United States have been integral to debates surrounding many matters of public interest—including a casual disregard for civilian life in the Iraqi and Afghanistan wars and a program of extra-judicial assassination targeting senior Taliban and Al-Qaeda officials. These disclosures could not be shown to have caused any direct damage, and Ms Manning's sentence for her crime of conscience has since been commuted by former US President Barack Obama. Refusing Ms Manning entry into Canada on the basis of her conduct is an injustice that should be reversed. The campaign was spearheaded by independent researcher Lex Gill. CIPPIC's letter can be read here: https://cippic.ca/uploads/20171012-LT_GoC_re_Chelsea_Manning.pdf

    Image credit: CC-BY 2.0, Jackie: Flickr

  • – 2017-09-12 –

    CIPPIC joined the BC Civil Liberties Association, Dr. Christopher Parsons and Privacy International in writing to Canada's two primary national security oversight bodies, SIRC and the CSE Commissioner. Drawing on an analysis of human rights transparency obligations, the letter notes recent efforts by these two bodies to examine cross-border data sharing arrangements entered into by the two agencies they oversee, CSIS and CSE, respectively. It then poses a few questions regarding the oversight bodies' respective abilities to find out about and assess information sharing arrangements, and regarding the processes by which information-sharing arrangements are formed. The letter constitutes the Canadian instance of an international campaign that sent comparable requests to national security oversight bodies in over 40 countries around the world. The objective is to gain a clearer picture of international data flows between national security agencies, and to establish a dialogue with national security oversight bodies on this matter. Read the letter here: https://cippic.ca/uploads/20170913-LT_re_intel_sharing_agreements-CA.pdf

  • – 2017-09-07 –

    CIPPIC joined a number of civil society groups in a submission outlining concerns regarding a proposition by the Council of Europe to adopt a second protocol to its Cybercrime Convention with the objective of lowering current safeguards in place when law enforcement agencies seek access to data stored in foreign countries. The submission, which was spearheaded by our friends at EDRi, establishes a number of preliminary baseline requirements for any international instrument aiming to facilitate cross-border law enforcement access to data. While only a starting point, some of the minimum requirements in the submission will surely need to be addressed if the proposed second protocol is to have the legitimacy and global adoption its authors hope. These include:

    • Limiting the second protocol to addressing gaps left by a reformed MLAT regime
    • The need for competent and independent judicial authorization as a centre-piece to any cross-border data access regime
    • The data hosting state must be notified when a foreign law enforcement agency accesses data hosted within its territory
    • A right to challenge foreign data requests in the country of the affected data subject, and by that country's standards.

    In addition, as pointed out by the Electronic Frontiers Foundation in a comment on the second protocol, the proposal should not operate to lower existing protections such as Canada's prohibition on sharing digital identifiers without judicial authorization or the United States' requirement for probable cause-based production orders. Finally, the letter calls for a prohibition on data localization laws that are imposed without any privacy justification, for the primary objective of imposing often arbitrary and invasive surveillance obligations. For example, Russia has been taking increasingly aggressive steps in compelling global online platforms to host Russian data locally to facilitate invasive surveillance and censorship practices.

  • – 2017-06-30 –

    A letter was sent today on behalf of coalition comprised of 83 leading organizations and experts from Australia, Canada, New Zealand, the United Kingdom and the United States to their respective governments in reaction to renewed state calls for measures that would effectively weaken encryption. The letter responds to a ministerial meeting of the five governments' respective security officials hosted in Ottawa earlier this week, where possibilities for facilitating increased state access to encrypted data were discussed.

    The ministerial occurred under the auspices of the 'Five Eyes' - a surveillance partnership between intelligence agencies within the five countries, including Canada's Communications Security Establishment (CSE). It generated a joint Communique, which presented encryption as a serious barrier to public safety efforts and an impediment to state agencies wishing to access the content of some communications for investigative reasons.

    The coalition letter, which was organized by Access Now, CIPPIC, and researchers from Citizen Lab, called on the Five Eye governments to "respect the right to use and develop strong encryption" while urging broader public participation in future discussions such as the one that occurred earlier this week. Strong and uncompromised encryption has never been more important, as it protects our most sensitive data, our increasingly critical online interactions, even the integrity of our elections.

  • – 2016-10-05 –

    Last month, Public Safety Canada followed through on commitments to review and consult on Canada’s national security framework. The process reviews powers that were passed into law following the passage of Bill C-51, Canada’s recent controversial anti-terrorism overhaul, as well as invite a broader debate about Canada’s security apparatus. While many consultation processes have explored expansions of Canada’s national security framework, the current consultation constitutes the first modern day attempt to explore Canada’s national security excesses and deficiencies. Unfortunately, the framing of the consultation demonstrates minimal direct regard for privacy and civil liberties because it is primarily preoccupied with defending the existing security framework while introducing a range of additional intrusive powers. Such powers include some that have been soundly rejected by the Canadian public as drawing the wrong balance between digital privacy and law enforcement objectives, and heavily criticized by legal experts as well as by all of Canada’s federal and provincial privacy commissioners. The government’s framing of the issues are highly deficient. Specifically, the consultation documents make little attempt to explain the privacy and civil liberties implications that can result from the contemplated powers. And while the government is open to suggestions on privacy and civil liberties-enhancing measures, few such proposals are explored in the document itself. The consultation documents also fail to provide detailed suggestions for improving government accountability and transparency surrounding state agencies’ use of already-existent surveillance and investigative tools. 

    In light of these deficiencies, we will be discussing a number of the consultation document’s problematic elements in a series of posts authored in conjunction with Christopher Parsons at the Citizen Lab, beginning with today's installment (after the jump, or in PDF format) regarding the government’s reincarnation of a highly controversial telecommunication subscriber identification power.

  • – 2016-09-19 –

    CIPPIC appeared today before the House of Commons Standing Committee on Access to Information, Privacy & Ethics (ETHI) in its ongoing review of Canada's aging Privacy Act. The Act regulates the federal government's handling of personal information, comprising a central component of Canada's privacy framework. However, it has not received any substantial updates since its introduction in the early 1980s, despite tectonic shifts in the incentives animating government data-related objectives as well as in the technological capability to achieve these objectives. In addition, the government has introduced numerous laws designed to update and expand its ability to collect, use and share private data since the 1980s, including laws specifically designed to address technological developments. In the face of this one-sided expansion of state capabilities, the Privacy Act has simply not kept pace, and is in serious need of modernization if it is to continue to effectively meet its objectives to protect individual privacy rights, facilitate government accountability and safeguard public trust.

    CIPPIC's recommendations sought to address key gaps in the Privacy Act, while adding principled protections that will help the Act stay relevant in the future. This includes the addition of principled limits on how long data can be reasonably kept by the government. There is currently no such explicit obligation in the Privacy Act, despite the fact that retention limitations are a hallmark of data protection regimes. An over-riding reasonableness obligation is also necessary, as it would ensure government data practices remain proportionate and in alignment with Charter values. CIPPIC also called for addressing central shortages in the Act's transparency framework, including the incorporation of statistical reporting obligations attaching to all law enforcement electronic surveillance powers, and a general 'openness' obligation compelling the government to proactively explain its privacy practices. Additional recommendations addressed the need for mandating reasonable technical safeguards, a mandatory data breach notification regime and formalizing privacy impact assessment requirements.

  • – 2016-09-13 –

    CIPPIC and the Citizen Lab, released a report today that describes and analyzes a class of covert electronic surveillance devices called cell site simulators (typically referred to as IMSI Catchers or by brand names such as 'Stingray'). IMSI Catchers operate by impersonating cell phone towers in order to trick mobile devices within range into transmitting digital identifiers, which are then used to track mobile devices or identify the otherwise anonymous individuals associated with them. The report (Executive Summary, FR) argues that the devices are inherently invasive. The geo-location and identification they facilitate engages sensitive privacy interests and, moreover, they are inherently coarse - for each target they are deployed against, the privacy of thousands of non-targeted mobile devices within range is collaterally affected. IMSI Catchers are also intrusive for their interference with the operation of mobile devices, which cannot receive or transmit any phone, text or data communications while engaged with an IMSI Catcher. This can include interference with critical communications such as emergency 911 calls.

    Exacerbating the intrusive features of this electronic surveillance tool has been the cloud of secrecy that pervades its use. The report describes significant efforts by journalists and civil society, in Canada and abroad, which sought to uncover use of this device in Canada and the heavy and unnecessary yet persistent resistance these efforts have experienced. The resulting secrecy, which appears to be encouraged by non-disclosure agreements imposed on Canadian agencies by IMSI Catcher vendors, has delayed important public policy debates regarding the appropriate use of these devices, while eroding public confidence. The report calls for the imposition of a range of transparency, proportionality and mitigation measures, modeled on regulatory frameworks adopted by other jurisdictions for IMSI Catchers, by Canadian courts and legislatures for comparably intrusive electronic surveillance tools and by international normative frameworks for digital privacy protection.

  • – 2016-03-23 –

    Cell-site simulators, colloquially referred to as IMSI Catchers or by brand names such as "Stingrays" or "King Fisher" are surveillance tools used by state agencies to identify or track mobile devices (and, of course, the individuals associated with such devices). Compared to other surveillance devices, IMSI Catchers are inherently invasive. They are designed to impersonate cell towers, in both functionality and appearance. As a result, IMSI Catcher surveillance is broad and indiscriminate -each time an IMSI Catcher is deployed against a specific target, it interferes with all devices in range. Each time an IMSI Catcher is used against one specific target, it can interfere with the privacy of thousands, collecting the digital identifiers (IMSI, IMEI) of all mobile devices within range. With these identifiers, otherwise anonymous individuals can be geo-located or tracked. In addition to the privacy interference, IMSI Catchers interfere with the functionality of mobile devices in range, preventing them from sending or receiving phone calls, text messages or data, including emergency 911 calls.

    The secrecy surrounding the use of these devices has been significant, with law enforcement agencies in Canada generally refusing to acknowledge, or even deny, whether they have ever made use of such a device. The Vancouver Police (VPD), for example, have refused to respond to a freedom of information demand from the Pivot Legal Society for any records relating to its use of these devices. CIPPIC and Christopher Parsons from Citizen Lab represented an intervener in the appeal of that refusal, OpenMedia. VPD defends its decision on the basis that acknowledging any IMSI Catcher would undermine their utility as surveillance tools. However, as we pointed out in the intervention, a lot of information is already in the public record regarding the capabilities of these devices and their use by state agencies, and there is a compelling public interest in publicizing use of these devices, to facilitate public debate regarding the appropriate parameters of their use. UPDATE: On May 25, 2016, after reviewing the record of the appeal, VPD issued a response, indicating that they do not own an IMSI Catcher and have no records relating to the use of such devices. However, ongoing questions remain regarding whether VPD has used these devices in past investigations through the aegis of the RCMP.

  • – 2015-11-27 –

    In the wake of the Paris attacks, there have been numerous calls by security agencies to once again expand the nature and scope of surveillance and other security framework under which they operate. Many of these calls were neatly summarized in an opinion piece in the Globe and Mail published November 25, 2015. A number of civil society organizations wrote in response today, refuting the one-sided expansion of state powers as an enduring solution to the world's security problems, the full response and list of signatories is replicated below. Also today, the International Civil Liberties Monitoring Group penned a well-argued response to attempts by RCMP Commissioner Bob Paulson, who has renewed calls for legislation granting police unsupervised and unrestrained access to online identifiers. The post recalls how Canadians have soundly rejected such calls in the past when it was presented as a solution to, in succession: cybercrime, child pornography and cyber-bullying. This latest iteration is equally as invasive and equally as unnecessary as its predecessors. Online identifiers are the essence to digital privacy and anonymity. Granting wholesale access to them is neither necessary to effective law enforcement or counter-terrorism, nor is it a proportional incursion on our digital privacy. If police need specific access to identifying information, it should only be obtained through the use of a dedicated production order similar to those already in the Criminal Code for other forms of metadata such as transmission and tracking information.

    Overall, as both civil society initiatives note, we are seeing a familiar list of demands for new powers from law enforcement following the Paris attacks. However, it is notable that none of these are responses to whatever shortcomings (if any) in surveillance powers may have contributed to the Paris attacks. The Globe and Mail letter is reproduced after the bump and can also be read here.