Electronic Surveillance

Electronic surveillance, given its low-cost/high efficiency and broad-ranging nature, is potentially the most insidious form of surveillance available. 'Lawful Access', a deceptively innocuous term given to the government's attempts to expand its power to spy on Internet activity by removing traditional safegaurds on its ability to use electronic surveillance. It does so by providing new ways by which law enforcemet and other state agents can lawfully access and intercept online activity and information. CIPPIC is working with other groups and individuals concerned about increasing government surveillance to assess and respond to the Canadian government's "lawful access" proposals. CIPPIC is concerned that attempts to update 'lawful access' capabilities are far from targeted and will have serious detrimental impact on Canadians' civil liberties.

Litigation

PIPEDA Complaints

Law Reform

Today, the Supreme Court of Canada issued R v Reeves, 2018 SCC 56, a decision that further entrenches Canadians' privacy expectations in computing devices while adding important nuance to the Court's jurisprudence regarding information privacy protections in shared. The decision under appeal questioned whether police can seize a shared computing device on the third party consent of a co-user.

As CIPPIC noted in its intervention, ably prepared by our co-counsel, Jill Presser and Kate Robertson, shared access to computing devices is routine feature of modern life. Often this shared access occurs without explicit individual awareness -- a trend only likely to increase with the plethora of emerging smart home devices. Allowing one roommate, partner or other co-habitant to unilateral waive privacy protection could allow the state to intervene into highly private spaces with minimal safeguards in place. Low-income individuals [para 44] and individuals subjected to technology-facilitated abuse [para 23] by their intimate partners could disproportionately face the brunt of these negative impacts. In rejecting such a paradigm, Madam Justice Karakatsanis (writing for the majority) correctly held that privacy rights must survive the pragmatic risk associated with such routine living arrangements:

I cannot accept that, by choosing to share our computers with friends and family, we are required to give up our Charter protection from state interference in our private lives. We are not required to accept that our friends and family can unilaterally authorize police to take things that we share. The decision to share with others does not come at such a high price in a free and democratic society. [para 44]

Reeves contributes to a growing body of jurisprudence elaborating privacy protections in shared or semi-public situations, which includes last year's decisions in Marakah and Jones, as well as upcoming decisions in R v Mills, SCC File No 37518,R v Jarvis, SCC File No 37833, and R v Le, SCC File No 37971.

Image Credit: Marco Verch, "Aufkleber mit Passwort auf dem Laptop", July 24, 2018, Flickr, CC-BY 2.0

The Electronic Frontier Foundation (EFF) released a timely white paper this week examining the negative implications and chilling effects that various cybercrime provisions throughout the Americas can have on coder's rights and specifically on security researchers. Entitled "Protecting Security Researcher's Rights in the Americas", the analysis explores a range of cybercrime regimes nominally intended in principle to criminalize unauthorized access to or disruption of computer systems. However, these laws have been framed so broadly as to impose a serious chilling effect on vital activity of security researchers. Drawing on the Inter-American human rights framework (of which Canada is a partial adherent), some national jurisprudence, and principles of criminal law, the paper argues for cybercrime regimes that accommodate beneficial security work. There must be latitude for non-malicious security testing, for the dissemination of critical security tools and for the responsible publication of discovered security breaches.

Sadly, current laws are framed so broadly that they have had a serious chilling effect on socially beneficial security work. Those who discover security breaches face severe legal threats and sometimes even criminal consequences for attempting to bring these to host organization's attention. The result is that security breaches are increasingly likely to remain unresolved until they are discovered by someone seeking to exploit, rather than to merely expose. The paper, to which CIPPIC provided substantive contributions, calls for clearer standards to remedy this situation.

At a time when our electronic devices contain an over-more detailed window every facet of our lives, international travel poses a growing challenge to privacy as the expansive powers granted to our border control agents are leveraged with increasing frequency to search our digital repositories. The BC Civil Liberties Association (BCCLA), with help from CIPPIC and under the generous auspices of CIRA's Community Investment Program, has updated its Electronic Devices Privacy Handbook, which outlines the types of intrusions individuals can expect when attempting to cross the Canadian border with electronic devices in hand and explains some of the legal and policy rationales which guide emerging legal rights in this context. Can devices be searched randomly? Must such a search be cursory or can it be extensive? Can devices be seized and kept? Can individuals be compelled to provide passwords to their devices? The Guide, a short version of which is available in 7 languages, also suggests some best practices for individuals who might be concerned that their sensitive photos, their legally privileged work documents or their list of journalistic sources might fall into the hands of the state simply because they need to travel in and out of Canada.

Image credit: BCCLA, 2018

CIPPIC joined the Electronic Frontier Foundation (EFF) and European Digital Rights (EDRi) in spearheading a submission (signed by 10 additional NGOs) which calls on the Council of Europe (CoE) to ensure privacy and other human rights safeguards are not left behind in its rush to develop new mechanisms for law enforcement to access data hosted in other jurisdictions. The submission injects our concerns into rapidly evolving negotiations between Canada, the United States, and several European and other states, for a treaty protocol that would govern cross-border data access amongst signatories.

The submission notes several concerns with the direction the negotiations have taken. Current proposals seek to bypass critical vetting mechanisms embedded in the current regime that screen foreign data access requests for blatant human rights violations. The rationale for removing this vetting mechanism is a presumption that signatory parties share an understanding of human rights protections yet, as the submission documents, no such shared basis exists. For example, Canada and some European states have faced significant liability for their roles in facilitating various United States counter-terror efforts which ultimately resulted in illegal rendition and even torture of various individuals in violation of their own human rights obligations. (p 28) Disagreements between signatories over the appropriate use of automated decision-making in a variety of additional violations of states' human rights obligations while resulting in serious detrimental impact on those most vulnerable (pp 26). The treaty, as proposed, will also permit law enforcement to bypass core domestic privacy protections simply because data is stored abroad allowing Canadian police, for example, to bypass critical protections for anonymous online activity simply because data is stored abroad. This race to sacrifice human rights protections occurs despite the fact that the current regime for cross-border access (which, admittedly, is not responsive enough to law enforcement's needs) can be dramatically improved with greater training and resource investment.

Image Credit: Max Pixel, CC-0

Encryption is vital to maintaining the integrity of communications and computing systems in modern life. It is not only essential for securing trust in e-commerce systems, but also, in the digital age, integral to the realization of a wide range of human rights. In spite of the critical importance of encryption, some law enforcement and intelligence agencies view cryptography as a barrier to their investigative and intelligence-gathering activities, and have therefore called for limits on the public availability and use of uncompromised and secure encryption. This paper seeks to examine the parameters of this debate, with particular attention to its Canadian components and implications.

In a sweeping report, launched today by CIPPIC in conjunction with our friends at the Citizen Lab, we canvass the importance of cryptography, historical and current attempts to undermine its utility in order to facilitate law enforcement and public safety objectives, and the legal implications of these attempts.

As Bill C-59, the National Security Act, 2017, winds its way through committee (SECU), the Government has made available a lightly redacted copy of its briefing notes developed in support of the Bill. A central point of contention in Bill C-59 is the proposed CSE Act, which will provide a new and comprehensive framework for the CSE, Canada's foreign signals intelligence agency. Elements of this framework are long overdue, such as its creation of NSIRA, which will have far-reaching capabilities to review the CSE's activities, and an Intelligence Commissioner which, if properly empowered, will provide an independent check on some of the CSE's activities.  However, as we (jointly with the Citizen Lab) pointed out in a recent analysis, the CSE Act requires significant  revision if it is to provide a reasonable framework for the CSE's activities. The briefing notes provide helpful additional insights into Bill C-59 and in particular into some of the CSE's anticipated uses of its new powers embodied in the proposed  CSE Act. However, we re-joined the Citizen Lab in analyzing these briefing notes and concluded that the government's justifications for some of the more controversial elements of the CSE Act (particularly its new poers to carry out cyber operations and an exceptoin that will permit it to direct its ativities at Canadians when collecting 'publicly available information') simply fall short. Specifically, the briefing notes present only the most innocuous uses to which the CSE's new powers might be put, painting an extremely sparse picture of provisions that are far more permissive in scope. The short analysis supplements this sparse presentation, and reaffirms the need for reform of the new proposed provisions. Read the analysis, which is authored by (in alphabetical order) Lex Gill (Citizen Lab), Tamir Israel (CIPPIC) and Christopher Parsons (Citizen Lab) after the jump, or you can obtain the analysis in PDF format here.

Image Credit: Junaldrao, "Jorge Bamboa, The Tip of the Iceberg", June 2, 2017, CC-BY-ND 2.0, Flickr

Agents of the State

In a submission filed with the Senate Committee on Legal and Constitutional Affairs in May 2007 on Bill C-31, CIPPIC objected to the expansion of personal information used for secondary purposes without the consent of electors. Under the Act, Elections Canada is required to share names and addresses from the National Register of Electors with political parties for fundraising and other campaign purposes. Bill C-31 would have added date of birth to the lists of electors shared for these purposes.  As a result of opposing to this proposal by the Privacy Commissioner of Canada and CIPPIC, sharing of date of birth was removed from the bill before it was passed by the House of Commons.

Privacy in domain name registration (CIRA & ICANN)

In response to planned outsourcing by the British Columbia government of certain database administrative duties to a U.S.-linked company, the British Columbia Privacy Commissioner invited public input by August 6, 2004 on the extent to which the USA Patriot Act allows US authorities to access the personal information of British Columbians, and the implications of such access for public body compliance with privacy legislation.

New information and communication technologies such as the Internet, email, cellphones, and encryption offer individuals new ways to communicate, organize, and engage in criminal behaviours, creating challenges for law enforcement agencies in their efforts to investigate and prosecute criminal activity. On the other hand, these same technologies provide authorities with access to potentially vast amounts of personal information on individuals.

Last month, Public Safety Canada followed through on commitments to review and consult on Canada’s national security framework. The process reviews powers that were passed into law following the passage of Bill C-51, Canada’s recent controversial anti-terrorism overhaul, as well as invite a broader debate about Canada’s security apparatus. While many consultation processes have explored expansions of Canada’s national security framework, the current consultation constitutes the first modern day attempt to explore Canada’s national security excesses and deficiencies. Unfortunately, the framing of the consultation demonstrates minimal direct regard for privacy and civil liberties because it is primarily preoccupied with defending the existing security framework while introducing a range of additional intrusive powers. Such powers include some that have been soundly rejected by the Canadian public as drawing the wrong balance between digital privacy and law enforcement objectives, and heavily criticized by legal experts as well as by all of Canada’s federal and provincial privacy commissioners. The government’s framing of the issues are highly deficient. Specifically, the consultation documents make little attempt to explain the privacy and civil liberties implications that can result from the contemplated powers. And while the government is open to suggestions on privacy and civil liberties-enhancing measures, few such proposals are explored in the document itself. The consultation documents also fail to provide detailed suggestions for improving government accountability and transparency surrounding state agencies’ use of already-existent surveillance and investigative tools. 

In light of these deficiencies, we will be discussing a number of the consultation document’s problematic elements in a series of posts authored in conjunction with Christopher Parsons at the Citizen Lab, beginning with today's installment (after the jump, or in PDF format) regarding the government’s reincarnation of a highly controversial telecommunication subscriber identification power.

CIPPIC staff discuss issues arising from proposed lawful access legislation.

R v Marakah, 2017 SCC 59 & R v Jones, 2017 SCC 60

R v Fearon, 2014 SCC 77, SCC File No 35498

Chehil/MacKenzie v. Her Majesty the Queen, S.C.C. FIle Nos. 34524 & 34397

Telus Communications Company v. Her Majesty the Queen, 2013 SCC 16

PIPEDA complaint that Canada.com's decision to outsource storage of customer emails to the United States failed to provide an adequate level of protection by exposing those emails to the risk of police access through invasive surveillance powers.

Canadian Banks and SWIFT

Bill 622: CSEC Transparency & Accountability

On February 14, 2012, the federal government once more introduced a legislative package of lawful access bills: Bill C-30Protecting Children from Internet Predators Act

Lawful Access (Bills C-50, C-51 & C-52)

Government reintroduces online spying legislation (Winter 2010)

In an open letter to the House of Commons Standing Committee on Access to Information, Privacy and Ethics, CIPPIC and a number of civil society organizations voice serious concerns with respect to Bill C-29, currently before the House and scheduled for second reading early next week. The Bill, ironically dubbed the 'Safeguarding Canadians' Personal Information Act', proposes a number of amendments to Canada's federal privacy protection statute, PIPEDA. Far from improving privacy, the Bill threatens to erode civil liberties in serious ways. Even where it attempts to improve privacy, it falls short by failing to provide any incentive for compliance.

The most troubling elements of the Bill pave the way to a dramatic expansion in the ways in which private businesses can be used in investigations against their own customers. While privacy should never be a bar to legitimate investigations of actual wrongs, the law provides mechanisms such as warrants, production orders, mandatory disclosure laws, and discovery processes that ensure investigations can occur with proper safeguards in place. This Bill essentially bypasses all of these safeguards by adding and expanding exceptions that permit organizations to simply give away their customer's information and includes elements evocative of the US PATRIOT Act and all the civil liberties violations that accompanied it.

Canada's 2010 Digital Economy Consultation

Bills C-46 & C-47, collectively the 'lawful access' or 'online surveillance' legislation, introduced on June 18, 2009.

Public Safety Canada consultations on online surveillance legislation (Fall 2007)

On November 15, 2005, the federal government introduced Bill C-74, the Modernization of Investigative Techniques Act (MITA), "an act to compel all telephone and Internet companies to create and maintain infrastructures that are intercept capable and to provide access to basic subscriber contact information such as a name, address or telephone number." Note that this bill does not introduce new Production Orders, Preservation Orders, or other Criminal Code amendments that are described below as part of the broader package of "Lawful Access" proposals on which the government has been consulting.

Department of Justice consultations on electronic surveillance legislation, March 2005