Electronic Surveillance - News

  • – 2018-10-18 –

    The Electronic Frontier Foundation (EFF) released a timely white paper this week examining the negative implications and chilling effects that various cybercrime provisions throughout the Americas can have on coder's rights and specifically on security researchers. Entitled "Protecting Security Researcher's Rights in the Americas", the analysis explores a range of cybercrime regimes nominally intended in principle to criminalize unauthorized access to or disruption of computer systems. However, these laws have been framed so broadly as to impose a serious chilling effect on vital activity of security researchers. Drawing on the Inter-American human rights framework (of which Canada is a partial adherent), some national jurisprudence, and principles of criminal law, the paper argues for cybercrime regimes that accommodate beneficial security work. There must be latitude for non-malicious security testing, for the dissemination of critical security tools and for the responsible publication of discovered security breaches.

    Sadly, current laws are framed so broadly that they have had a serious chilling effect on socially beneficial security work. Those who discover security breaches face severe legal threats and sometimes even criminal consequences for attempting to bring these to host organization's attention. The result is that security breaches are increasingly likely to remain unresolved until they are discovered by someone seeking to exploit, rather than to merely expose. The paper, to which CIPPIC provided substantive contributions, calls for clearer standards to remedy this situation.

  • – 2018-10-03 –

    At a time when our electronic devices contain an over-more detailed window every facet of our lives, international travel poses a growing challenge to privacy as the expansive powers granted to our border control agents are leveraged with increasing frequency to search our digital repositories. The BC Civil Liberties Association (BCCLA), with help from CIPPIC and under the generous auspices of CIRA's Community Investment Program, has updated its Electronic Devices Privacy Handbook, which outlines the types of intrusions individuals can expect when attempting to cross the Canadian border with electronic devices in hand and explains some of the legal and policy rationales which guide emerging legal rights in this context. Can devices be searched randomly? Must such a search be cursory or can it be extensive? Can devices be seized and kept? Can individuals be compelled to provide passwords to their devices? The Guide, a short version of which is available in 7 languages, also suggests some best practices for individuals who might be concerned that their sensitive photos, their legally privileged work documents or their list of journalistic sources might fall into the hands of the state simply because they need to travel in and out of Canada.

    Image credit: BCCLA, 2018

  • – 2018-06-28 –

    CIPPIC joined the Electronic Frontier Foundation (EFF) and European Digital Rights (EDRi) in spearheading a submission (signed by 10 additional NGOs) which calls on the Council of Europe (CoE) to ensure privacy and other human rights safeguards are not left behind in its rush to develop new mechanisms for law enforcement to access data hosted in other jurisdictions. The submission injects our concerns into rapidly evolving negotiations between Canada, the United States, and several European and other states, for a treaty protocol that would govern cross-border data access amongst signatories.

    The submission notes several concerns with the direction the negotiations have taken. Current proposals seek to bypass critical vetting mechanisms embedded in the current regime that screen foreign data access requests for blatant human rights violations. The rationale for removing this vetting mechanism is a presumption that signatory parties share an understanding of human rights protections yet, as the submission documents, no such shared basis exists. For example, Canada and some European states have faced significant liability for their roles in facilitating various United States counter-terror efforts which ultimately resulted in illegal rendition and even torture of various individuals in violation of their own human rights obligations. (p 28) Disagreements between signatories over the appropriate use of automated decision-making in a variety of additional violations of states' human rights obligations while resulting in serious detrimental impact on those most vulnerable (pp 26). The treaty, as proposed, will also permit law enforcement to bypass core domestic privacy protections simply because data is stored abroad allowing Canadian police, for example, to bypass critical protections for anonymous online activity simply because data is stored abroad. This race to sacrifice human rights protections occurs despite the fact that the current regime for cross-border access (which, admittedly, is not responsive enough to law enforcement's needs) can be dramatically improved with greater training and resource investment.

    Image Credit: Max Pixel, CC-0

  • – 2018-05-13 –

    Encryption is vital to maintaining the integrity of communications and computing systems in modern life. It is not only essential for securing trust in e-commerce systems, but also, in the digital age, integral to the realization of a wide range of human rights. In spite of the critical importance of encryption, some law enforcement and intelligence agencies view cryptography as a barrier to their investigative and intelligence-gathering activities, and have therefore called for limits on the public availability and use of uncompromised and secure encryption. This paper seeks to examine the parameters of this debate, with particular attention to its Canadian components and implications.

    In a sweeping report, launched today by CIPPIC in conjunction with our friends at the Citizen Lab, we canvass the importance of cryptography, historical and current attempts to undermine its utility in order to facilitate law enforcement and public safety objectives, and the legal implications of these attempts.

  • – 2018-01-30 –

    As Bill C-59, the National Security Act, 2017, winds its way through committee (SECU), the Government has made available a lightly redacted copy of its briefing notes developed in support of the Bill. A central point of contention in Bill C-59 is the proposed CSE Act, which will provide a new and comprehensive framework for the CSE, Canada's foreign signals intelligence agency. Elements of this framework are long overdue, such as its creation of NSIRA, which will have far-reaching capabilities to review the CSE's activities, and an Intelligence Commissioner which, if properly empowered, will provide an independent check on some of the CSE's activities.  However, as we (jointly with the Citizen Lab) pointed out in a recent analysis, the CSE Act requires significant  revision if it is to provide a reasonable framework for the CSE's activities. The briefing notes provide helpful additional insights into Bill C-59 and in particular into some of the CSE's anticipated uses of its new powers embodied in the proposed  CSE Act. However, we re-joined the Citizen Lab in analyzing these briefing notes and concluded that the government's justifications for some of the more controversial elements of the CSE Act (particularly its new poers to carry out cyber operations and an exceptoin that will permit it to direct its ativities at Canadians when collecting 'publicly available information') simply fall short. Specifically, the briefing notes present only the most innocuous uses to which the CSE's new powers might be put, painting an extremely sparse picture of provisions that are far more permissive in scope. The short analysis supplements this sparse presentation, and reaffirms the need for reform of the new proposed provisions. Read the analysis, which is authored by (in alphabetical order) Lex Gill (Citizen Lab), Tamir Israel (CIPPIC) and Christopher Parsons (Citizen Lab) after the jump, or you can obtain the analysis in PDF format here.

    Image Credit: Junaldrao, "Jorge Bamboa, The Tip of the Iceberg", June 2, 2017, CC-BY-ND 2.0, Flickr

  • – 2017-12-18 –

    CIPPIC joined the Citizen Lab today in releasing a detailed analysis of Bill C-59 which, among other things, seeks to comprehensively modernize the Communication Security Establishment (CSE)'s legal framework. The CSE, Canada's foreign intelligence agency, is granted expansive powers and a mandate that is intended to be 'foreign facing', a tradeoff intended to limit safeguards applied to the Establishment while limiting its ability to impact on Canadians. The Bill C-59 reforms in many ways improve the CSE's current operational regime, by requiring the CSE to operate in a proportionate manner and under some independent control for the first time. Ultimately, while the Bill modernizes many of the CSE's powers and capabilities, it remains stuck in the past with respect to its oversight and control regime—a regime that remains driven by executive authority. The report suggests over 50 reforms to the Bill, with varying degrees of impact. Of particular concern is the Bill's open embrace of mass and bulk surveillance practices, a range of newly introduced exceptions that will grant the CSE more scope to operate domestically, a new domestic private sector cybersecurity regime, and new cyber operation powers that would allow the CSE to disrupt and undermine security, the integrity of communications networks and human rights in Canada and abroad.

    At the same time, the report points to deficiencies in the independent control and oversight mechanism proposed by Bill C-59. The embodiment of these mechanisms (the Intelligence Commissioner) is presented as a quasi-judicial check on the Minister's otherwise broad powers to authorize the CSE's activities. However, the Commissioner lacks the independence and scope of oversight necessary to meaningfully carry out the function envisioned for it. Notably, while the Commissioner may now refuse some authorizations as issued by the Minister of National Defence, the process remains largely driven by the executive branch of government. The Commissioner lacks basic fact-finding powers, mechanisms for direct adversarial input, formalized appeal mechanisms and even the obligation to issue reasons when approving a ministerial authorization. The scope of Commissioner oversight is similarly deficient. As others have noted, Commissioner approval is only required if CSE activities would otherwise violate a law of Canada or the Charter, a triggering mechanism that falls well short, allowing significant invasive CSE conduct to fall outside the scope of Commissioner control. Critically, Bill C-59 introduces a range of new cyber operation powers that could well be the most invasive in the Establishment's toolkit, yet these fall altogether outside the scope of Commissioner control. As Bill C-59 continues to make its way through parliamentary committee, it is hoped that some of these issues (and others itemized in a civil society coalition statement) will be addressed.

    Image Credit: Gautier Poupeau, "Magnifying Glass [Loupe], 1963, Roy Lichtenstein", July 14, 2013, CC-BY-2.0, Flickr

  • – 2017-12-08 –

    The Supreme Court of Canada issued its long-awaited decisions in R v Marakah, 2017 SCC 59 and R v Jones, 2017 SCC 60 today, issuing a strong statement on the protection of privacy in digital contexts. The decision held that text messages continue to enjoy constitutional protection even after they are received by their intended recipient, meaning the state cannot bypass constitutional protections simply by directing its search to the recipient's cell phone, social media account or service provider. As CIPPIC argued in its interventions [Marakah, Jones], the decisions being appealed adopted a formalistic approach to concepts such as 'control' and 'access' which apply robustly in the physical world (who controls the data at the time of access, from what location is the data accessed) but have minimal bearing on privacy expectations in digital spaces. By contrast, the majority of the Supreme Court adopted a broad analysis of the privacy interests at stake, with outgoing Chief Justice Beverley McLachlin emphasizing the choice of a private conversation medium (i.e. text messaging) as driving the privacy analysis, concluding that "... privacy in electronic conversations is worthy of constitutional protection. That protection should not be lightly denied." Indeed, as McLachlin, CJ, explains on behalf of the majority in Marakah, the choice of a private messaging medium is, in and of itself, an exercise of effective control, underpinning privacy expectations in electronic messages that extend to their recipient. The choice to engage in a private electronic conversation creates a context where the sender can reasonably expect the messages to remain secure against the eyes of the state.

    Image Credit: Matt Karp, CC-BY-NC-ND 2.0, May 7, 2010, Flickr

  • – 2017-10-23 –

    CIPPIC has helped organize letters from over 40 prominent individuals and organizations supporting Chelsea Manning's legal team in its bid to reverse her refusal of entry into Canada. As CIPPIC points out in its own letter of support, the whistleblowing activities which formed the basis for Ms Manning's sentence in the United States have been integral to debates surrounding many matters of public interest—including a casual disregard for civilian life in the Iraqi and Afghanistan wars and a program of extra-judicial assassination targeting senior Taliban and Al-Qaeda officials. These disclosures could not be shown to have caused any direct damage, and Ms Manning's sentence for her crime of conscience has since been commuted by former US President Barack Obama. Refusing Ms Manning entry into Canada on the basis of her conduct is an injustice that should be reversed. The campaign was spearheaded by independent researcher Lex Gill. CIPPIC's letter can be read here: https://cippic.ca/uploads/20171012-LT_GoC_re_Chelsea_Manning.pdf

    Image credit: CC-BY 2.0, Jackie: Flickr

  • – 2017-09-12 –

    CIPPIC joined the BC Civil Liberties Association, Dr. Christopher Parsons and Privacy International in writing to Canada's two primary national security oversight bodies, SIRC and the CSE Commissioner. Drawing on an analysis of human rights transparency obligations, the letter notes recent efforts by these two bodies to examine cross-border data sharing arrangements entered into by the two agencies they oversee, CSIS and CSE, respectively. It then poses a few questions regarding the oversight bodies' respective abilities to find out about and assess information sharing arrangements, and regarding the processes by which information-sharing arrangements are formed. The letter constitutes the Canadian instance of an international campaign that sent comparable requests to national security oversight bodies in over 40 countries around the world. The objective is to gain a clearer picture of international data flows between national security agencies, and to establish a dialogue with national security oversight bodies on this matter. Read the letter here: https://cippic.ca/uploads/20170913-LT_re_intel_sharing_agreements-CA.pdf

  • – 2017-09-07 –

    CIPPIC joined a number of civil society groups in a submission outlining concerns regarding a proposition by the Council of Europe to adopt a second protocol to its Cybercrime Convention with the objective of lowering current safeguards in place when law enforcement agencies seek access to data stored in foreign countries. The submission, which was spearheaded by our friends at EDRi, establishes a number of preliminary baseline requirements for any international instrument aiming to facilitate cross-border law enforcement access to data. While only a starting point, some of the minimum requirements in the submission will surely need to be addressed if the proposed second protocol is to have the legitimacy and global adoption its authors hope. These include:

    • Limiting the second protocol to addressing gaps left by a reformed MLAT regime
    • The need for competent and independent judicial authorization as a centre-piece to any cross-border data access regime
    • The data hosting state must be notified when a foreign law enforcement agency accesses data hosted within its territory
    • A right to challenge foreign data requests in the country of the affected data subject, and by that country's standards.

    In addition, as pointed out by the Electronic Frontiers Foundation in a comment on the second protocol, the proposal should not operate to lower existing protections such as Canada's prohibition on sharing digital identifiers without judicial authorization or the United States' requirement for probable cause-based production orders. Finally, the letter calls for a prohibition on data localization laws that are imposed without any privacy justification, for the primary objective of imposing often arbitrary and invasive surveillance obligations. For example, Russia has been taking increasingly aggressive steps in compelling global online platforms to host Russian data locally to facilitate invasive surveillance and censorship practices.