Data Privacy Day (a.k.a. Data Protection Day) 2015 marked a range of developments - some good, some bad, all significant. Data Privacy Day is celebrated annually to commemorate the world's first data protection treaty: the Council of Europe's Convention 108. This year, the day began with a series of startling revelations from CBC, which released documents acquired through former NSA Analyst Edward Snowden detailing a comprehensive electronic surveillance program that monitored various file upload sites around the world. The program, implemented by Canada's foreign intelligence agency, CSEC, involved combing through its comprehensive meta-data-bases in order to identify individuals uploading or accessing 'questionable' documents on sites such as MegaUpload and Rapidshare. Visitors to such documents are then subjected to intense meta-data-scrutiny in order to find their identity through such things as Facebook and email login cookies. Aside from the millions of documents tracked by the program daily, the program demonstrates an immensely invasive capacity that can emerge from mere analysis of the metadata held by CSEC and its Five EYEs partners. Far from acknowledging these concerns, we expect more of the same, with State promises to introduce expanded lone wolf surveillance powers this Friday.
Some tentatively promising developments from APEC also came this week. CIPPIC had endorsed a letter sent by a number of privacy groups in late December pointing to several issues with APEC's certification of TRUSTe as an accountability agent capable of overseeing compliance with APEC obligations for the purpose of receiving personal data transfers from other APEC member states such as Canada. This week, APEC and TRUSTe addressed a number of the concerns, but left a few (particularly those relating to conflicts of interest between TRUSTe board members and some of the commercial organizations it is tasked with overseeing) outstanding. In brighter news, the Mexican data protection authority announced it would be officially signing the International Principles on the Application of Human Rights to Communications Surveillance (IPAHRCS-es for short!), designed to provide comprehensive suggestions on how to conduct electronic surveillance in a targeted and privacy respective manner. The IPAHRCS have now been endorsed by over 480 international organizations, experts and government officials. An eventful data privacy day, for better or worse!
The Supreme Court of Canada issued its decision in R. v. Fearon, 2014 SCC 77, today, which addressed whether law enforcement could indiscriminately search the mobile devices of individuals upon arrest. Whereas the Charter requires prior judicial authorization based on reasonable grounds in most instances, law enforcement are granted more latitude when searching individuals under arrest. The question in Fearon (and in a similar appeal heard by the United States Supreme Court around the same time - Riley v. California, 134 St.Ct. 2473 (2014), was whether this broad rule should be applied to mobile devices given the rich amounts of information contained on these devices. In its intervention, CIPPIC argued that the breadth of the power to search on arrest combined with the ubiquitous use and far-ranging data contained on mobile devices will leave few instances where law enforcement cannot rummage through cell phones.
While acknowledging the high privacy interest in mobile devices requires limiting access on arrest to situations where an immediate investigative purpose exists, a split decision of the court provided wide latitude for law enforcement to scour mobile data receptacles on arrest in many if not most instances. This is because, as noted by the dissent, mobile devices are implicated in most of our activities, so law enforcement will almost always be able to advance a general prospect that such a device might yield evidence of a witness, co-conspirator, or object of crime. Similarly, as noted by the dissent, while not each search of a mobile device will reveal sensitive information, the knowledge of an impending search is likely to have a chilling effect and, in those instances where an invasion occurs, there will not be an opportunity to remedy the issue ex post. In spite of this, the majority found that law enforcement objectives must prevail. The decision appears at odds with a string of supreme court decisions upholding additional protections for data receptacles, as well as with the United States. In the US, a concern for officer safety and the need to prevent destruction of evidence has, historically, motivated a search on arrest rule as broad as Canada's, but as the US Supreme court recently found in Riley/Wurie, this rule does not extend to mobile devices.
CIPPIC attempted to intervene at the Federal Court of Appeal on a matter that raises many fundamental issues arising from the ability of Canadian intelligence agencies to make use of the extensive -- and arguably unconstitutional -- practices of foreign intelligence partners such as the U.S. National Security Agency (NSA) and the UK Government Communications HeadQuarters (GCHQ). The proceeding, an appeal of a decision issued by Justice Mosley of the Federal Court last December, has been shrouded in secrecy due to the important national security interests it is examining. This secrecy has made it difficult for CIPPIC to attempt intervention in a timely matter and its request for directions regarding any such intervention arrived too late in the proceeding. CIPPIC will continue to monitor this file as it is likely to make its way to the Supreme Court of Canada.
Bill C-622, the CSEC Accountability and Transparency Act, introduced today by Joyce Murray, (Liberal-Vancouver Quadra), seeks to address a number of the many problems inherent in the surveillance activities of Canada's foreign intelligence signals agency, the Communications Security Establishment of Canada (CSEC). CSEC currently operates largely on its own, subject only to broadly-frame authorizations and directives from the Minister of National Defence (MND) and non-binding oversight from the CSE Commissioner. While the Bill fails to substantially restrict CSEC's mass harvesting of Canadians' data by imposing disciplined surveillance practices, it does make meaningful progress on the long list of CSEC-related problems that need to be addressed, by:
Removing the MND's capacity to authorize interception of Canadians' private communications. Such authorization can only come from a judge following an adversarial proceeding;
Adopting an inclusive definition-Protected Information-which unambiguously includes all data associated with communications, including metadata, not just content;
Imposing stricter limits on how long CSEC can retain Canadian data that is incidentally collected in its surveillance activities, however the MND may override these limits under certain conditions; and
Removing CSEC's ability to conduct 'classes of surveillance activities', but retaining its capacity spy on 'classes of persons' without any need for reasonable grounds.
In addition, the Bill enhances transparency and oversight by establishing a non-partisan parliamentary oversight committee and requiring the CSE Commissioner's annual report on CSEC activities to include greater detail. More after the jump.
A comprehensive report was issued today which examines the technical and policy response to foreign intelligence problems highlighted by the unique window into the operation of such agencies that has been provided by whistleblower Edward Snowden over the past year. The report, which focuses mostly on developments at the national level within 18 countries (there is also one EU-wide section and one section that examines the private sector), points to a strong shift in perception and growing acknowledgement and concern over foreign intelligence activities. However, in spite of this concern, it points to minimal tangible changes to date across surveyed countries (aside from the United States, where some nascent changes have already taken root).
This is perhaps not surprising -- while the Snowden revelations have certainly shined a light on foreign intelligence activities around the world, the primary focus of these documents has been the activities of the US-based NSA. In addition, while reporting on the leaks began one year ago, the staged release of these revelations has meant that a complete picture has only emerged in the past few months. It is, then, perhaps unsurprising that most changes to date have occurred in the United States or at the international level. The report was generated by privacy scholar Simon Davies. CIPPIC, in conjunction with Christopher Parsons (Citizen Lab) and Micheal Vonn (BCCLA), provided the Canada chapter.
A large coalition of Canada's leading privacy experts and civil society groups wrote to Prime Minister Stephen Harper Friday regarding the federal government's increasing failure to protect the privacy of Canadians. The letter points to the government's efforts to increase the ability of law enforcement and other state agencies' ability to exploit new technologies in order to invade Canadians' privacy (pointing specifically to Bill C-13, currently being rushed through parliamentary committee under the guise of 'cyber bullying' legislation), while steadfastly refusing to address long-standing privacy problems raised by the same technological developments. The letter specifically points to the unchecked surveillance activities of Canada's foreign intelligence agency, CSEC, and the steadfast refusal to update ageing but central privacy and transparency statutes as indication of some of the long-standing privacy problems the government has refused to act on. It calls on the government to take its review of the privacy-invasive elements of Bill C-13 seriously, and to establish a commission to examine privacy and state surveillance in the digital age. Finally, the letter decries the controversial nomination of a government official as Privacy Commissioner of Canada, a nomination which was made in direct contradiction to the government's own own selection committee. Specifically, the letter noted the problematic timing of this appointment, which arrives at a time when fundamental decisions that will affect the privacy of Canadians for decades are being made and leaves Canada without a privacy watchdog to weigh in on these formative debates.
In a submission filed with the Senate Committee on Legal and Constitutional Affairs in May 2007 on Bill C-31, CIPPIC objected to the expansion of personal information used for secondary purposes without the consent of electors. Under the Act, Elections Canada is required to share names and addresses from the National Register of Electors with political parties for fundraising and other campaign purposes. Bill C-31 would have added date of birth to the lists of electors shared for these purposes. As a result of opposing to this proposal by the Privacy Commissioner of Canada and CIPPIC, sharing of date of birth was removed from the bill before it was passed by the House of Commons.
Privacy in domain name registration (CIRA & ICANN)
In response to planned outsourcing by the British Columbia government of certain database administrative duties to a U.S.-linked company, the British Columbia Privacy Commissioner invited public input by August 6, 2004 on the extent to which the USA Patriot Act allows US authorities to access the personal information of British Columbians, and the implications of such access for public body compliance with privacy legislation.
New information and communication technologies such as the Internet, email, cellphones, and encryption offer individuals new ways to communicate, organize, and engage in criminal behaviours, creating challenges for law enforcement agencies in their efforts to investigate and prosecute criminal activity. On the other hand, these same technologies provide authorities with access to potentially vast amounts of personal information on individuals.
CIPPIC staff discuss issues arising from proposed lawful access legislation.
R. v. Fearon, S.C.C. File No. 35498
Chehil/MacKenzie v. Her Majesty the Queen, S.C.C. FIle Nos. 34524 & 34397
Telus Communications Company v. Her Majesty the Queen, 2013 SCC 16
PIPEDA complaint that Canada.com's decision to outsource storage of customer emails to the United States failed to provide an adequate level of protection by exposing those emails to the risk of police access through invasive surveillance powers.
Bill 622: CSEC Transparency & Accountability
On February 14, 2012, the federal government once more introduced a legislative package of lawful access bills: Bill C-30, Protecting Children from Internet Predators Act.
Lawful Access (Bills C-50, C-51 & C-52)
Government reintroduces online spying legislation (Winter 2010)
In an open letter to the House of Commons Standing Committee on Access to Information, Privacy and Ethics, CIPPIC and a number of civil society organizations voice serious concerns with respect to Bill C-29, currently before the House and scheduled for second reading early next week. The Bill, ironically dubbed the 'Safeguarding Canadians' Personal Information Act', proposes a number of amendments to Canada's federal privacy protection statute, PIPEDA. Far from improving privacy, the Bill threatens to erode civil liberties in serious ways. Even where it attempts to improve privacy, it falls short by failing to provide any incentive for compliance.
The most troubling elements of the Bill pave the way to a dramatic expansion in the ways in which private businesses can be used in investigations against their own customers. While privacy should never be a bar to legitimate investigations of actual wrongs, the law provides mechanisms such as warrants, production orders, mandatory disclosure laws, and discovery processes that ensure investigations can occur with proper safeguards in place. This Bill essentially bypasses all of these safeguards by adding and expanding exceptions that permit organizations to simply give away their customer's information and includes elements evocative of the US PATRIOT Act and all the civil liberties violations that accompanied it.
Canada's 2010 Digital Economy Consultation
Bills C-46 & C-47, collectively the 'lawful access' or 'online surveillance' legislation, introduced on June 18, 2009.
Public Safety Canada consultations on online surveillance legislation (Fall 2007)
On November 15, 2005, the federal government introduced Bill C-74, the Modernization of Investigative Techniques Act (MITA), "an act to compel all telephone and Internet companies to create and maintain infrastructures that are intercept capable and to provide access to basic subscriber contact information such as a name, address or telephone number." Note that this bill does not introduce new Production Orders, Preservation Orders, or other Criminal Code amendments that are described below as part of the broader package of "Lawful Access" proposals on which the government has been consulting.
Department of Justice consultations on electronic surveillance legislation, March 2005