Cell-site simulators, colloquially referred to as IMSI Catchers or by brand names such as "Stingrays" or "King Fisher" are surveillance tools used by state agencies to identify or track mobile devices (and, of course, the individuals associated with such devices). Compared to other surveillance devices, IMSI Catchers are inherently invasive. They are designed to impersonate cell towers, in both functionality and appearance. As a result, IMSI Catcher surveillance is broad and indiscriminate -each time an IMSI Catcher is deployed against a specific target, it interferes with all devices in range. Each time an IMSI Catcher is used against one specific target, it can interfere with the privacy of thousands, collecting the digital identifiers (IMSI, IMEI) of all mobile devices within range. With these identifiers, otherwise anonymous individuals can be geo-located or tracked. In addition to the privacy interference, IMSI Catchers interfere with the functionality of mobile devices in range, preventing them from sending or receiving phone calls, text messages or data, including emergency 911 calls.
The secrecy surrounding the use of these devices has been significant, with law enforcement agencies in Canada generally refusing to acknowledge, or even deny, whether they have ever made use of such a device. The Vancouver Police (VPD), for example, have refused to respond to a freedom of information demand from the Pivot Legal Society for any records relating to its use of these devices. CIPPIC and Christopher Parsons from Citizen Lab represented an intervener in the appeal of that refusal, OpenMedia. VPD defends its decision on the basis that acknowledging any IMSI Catcher would undermine their utility as surveillance tools. However, as we pointed out in the intervention, a lot of information is already in the public record regarding the capabilities of these devices and their use by state agencies, and there is a compelling public interest in publicizing use of these devices, to facilitate public debate regarding the appropriate parameters of their use. UPDATE: On May 25, 2016, after reviewing the record of the appeal, VPD issued a response, indicating that they do not own an IMSI Catcher and have no records relating to the use of such devices. However, ongoing questions remain regarding whether VPD has used these devices in past investigations through the aegis of the RCMP.
In the wake of the Paris attacks, there have been numerous calls by security agencies to once again expand the nature and scope of surveillance and other security framework under which they operate. Many of these calls were neatly summarized in an opinion piece in the Globe and Mail published November 25, 2015. A number of civil society organizations wrote in response today, refuting the one-sided expansion of state powers as an enduring solution to the world's security problems, the full response and list of signatories is replicated below. Also today, the International Civil Liberties Monitoring Group penned a well-argued response to attempts by RCMP Commissioner Bob Paulson, who has renewed calls for legislation granting police unsupervised and unrestrained access to online identifiers. The post recalls how Canadians have soundly rejected such calls in the past when it was presented as a solution to, in succession: cybercrime, child pornography and cyber-bullying. This latest iteration is equally as invasive and equally as unnecessary as its predecessors. Online identifiers are the essence to digital privacy and anonymity. Granting wholesale access to them is neither necessary to effective law enforcement or counter-terrorism, nor is it a proportional incursion on our digital privacy. If police need specific access to identifying information, it should only be obtained through the use of a dedicated production order similar to those already in the Criminal Code for other forms of metadata such as transmission and tracking information.
Overall, as both civil society initiatives note, we are seeing a familiar list of demands for new powers from law enforcement following the Paris attacks. However, it is notable that none of these are responses to whatever shortcomings (if any) in surveillance powers may have contributed to the Paris attacks. The Globe and Mail letter is reproduced after the bump and can also be read here.
CIPPIC, OpenMedia, and over 40 other civil society groups and privacy experts wrote to the government today calling for a public consultation on the legacy of Bill C-51, the highly controversial and one-sided overhaul of Canada's security and investigative framework adopted by the previous government late last year. The letter notes with enthusiasm the government's commitment to address some of the pressing problems raised by Bill C-51, but urges that these fixes come only after public engagement on the issue has occurred. Bill C-51 was developed in an atmosphere and process that was often openly hostile to civil society input, and this is reflected in almost every facet of its multi-pronged expansion of security powers. It detrimentally impacted on several elements of Canadian society while exacerbating long-standing problems relating to Canada's flight-restriction mechanisms, information-sharing, intelligence oversight and due process. It is no surprise that over 300,000 Canadians have spoken out against Bill C-51, and in just the past week more than 10,000 have called on the government to publicly consult on how to address its legacy.
In spite of this controversy, the letter points out, neither this government nor the previous has ever made the case for any of Bill C-51's elements, and that doing so must be the first step to a reasoned debate around its various elements. Once this case has been made, in the form of a discussion paper, the letter calls for an online public consultation as well as an opportunity for stakeholders to comment on the measures and justifications underlying the changes to Canada's security framework that the government wishes to adopt or retain. In particular, there is concern that the adoption of parliamentary oversight for intelligence agencies - a mechanism that has proven useful, but not independently sufficient in many foreign jurisdictions including the United States and the United Kingdom - will be presented as a panacea to the excesses of Canada's security apparatus. The letter, as well as a joint media release that accompanied its delivery, can be read after the bump, and our Bill C-51 primer (with OpenMedia and Canadian Journalists for Free Expression) can be read here (PDF).
Monday, June 15, at 6pm CIPPIC, Amnesty International Canada & the Ottawa Public Library will host a free public screening of CitizenFour. The documentary explores how former National Security Agency contractor Edward Snowden approached reporters Laura Poitras (who also directed the Academy Award winning documentary), Glenn Greenwald and others with a treasure trove of classified documents exposing the shear unprecedented scope and magnitude of the NSA's monitoring of the world's digital activities. This, in turn, launched an international debate about the protection of privacy in the digital age and the appropriate role of our foreign intelligence agencies.
Today marks the two year anniversary of the day the Guardian first reported on an NSA program that mandated Verizon and other US-based telecommunications companies to hand over metadata on all phone calls (domestic and foreign) on a regular basis in order to populate a metadata base that it could data-mine at will as part of its foreign intelligence program. The story sent ripples around the globe, and last week the US congress greatly restricted it by limiting the NSA's surveillance powers for the first time in decades. But the expansive metadata program, it turned out, was just the tip of the iceberg as a string of revelations from Snowden's files followed, each more staggering than its predecessor and confirming privacy advocate's worst predictions (CJFE hosts a searchable archive of these). We have also learned much about Canada's complicity (by its participation in the Five Eyes intelligence partnership with the US, UK, Australia & New Zealand) in creating this global web of surveillance. The film is a must-see for any privacy advocate, as well as for anyone who wants to learn about Snowden's experience or how our communications networks are monitored. Join us June 15! More details after the jump or download the event flyer
CIPPIC, OpenMedia and Canadian Journalists for Free Expression have released a primer on Bill C-51, the government's latest initiative to expand its state security apparatus. As the primer explains the Bill, which has been opposed from broad segments of Canadian society, signals a dramatic new direction for Canadian security. Presented as anti-terror legislation, the Bill adopts an excessive approach that will harm online innovation, political discourse and our civil liberties. It will reverse Canada’s rich multicultural heritage and replace it with an atmosphere of fear, distrust and racial profiling – where neighbours are encouraged to turn on neighbours on the basis of ‘reasonable fears’. The Bill was drafted and defended in an atmosphere openly hostile to civil liberties, and this is reflected in every element of it. One element of the Bill even seeks to allow our spy agencies to violate the Charter of Rights and Freedoms – our most vital protection against egregious state intrusion into our lives. It signals a return to a time when our security agencies were empowered to carry out dirty tricks against our citizens – and did so with impunity.
It fails to address long standing and well-documented problems with Canada’s already excessively broad security powers, the misuse of which has led to the torture, detention, flight restriction and privacy invasion of many innocent Canadians since they were introduced post 9/11. Innocent Canadians’ lives have been ruined. This Bill not only fails to remedy those flaws, it replicates and expands the underlying problems without adding any meaningful safeguards to ensure the expansive powers it grants will not be similarly abused. It is little wonder that few who have carefully examined the Bill can fully support it in its current form. In spite of this, the government is currently rushing the Bill through not just one house of parliament, but both.
Data Privacy Day (a.k.a. Data Protection Day) 2015 marked a range of developments - some good, some bad, all significant. Data Privacy Day is celebrated annually to commemorate the world's first data protection treaty: the Council of Europe's Convention 108. This year, the day began with a series of startling revelations from CBC, which released documents acquired through former NSA Analyst Edward Snowden detailing a comprehensive electronic surveillance program that monitored various file upload sites around the world. The program, implemented by Canada's foreign intelligence agency, CSEC, involved combing through its comprehensive meta-data-bases in order to identify individuals uploading or accessing 'questionable' documents on sites such as MegaUpload and Rapidshare. Visitors to such documents are then subjected to intense meta-data-scrutiny in order to find their identity through such things as Facebook and email login cookies. Aside from the millions of documents tracked by the program daily, the program demonstrates an immensely invasive capacity that can emerge from mere analysis of the metadata held by CSEC and its Five EYEs partners. Far from acknowledging these concerns, we expect more of the same, with State promises to introduce expanded lone wolf surveillance powers this Friday.
Some tentatively promising developments from APEC also came this week. CIPPIC had endorsed a letter sent by a number of privacy groups in late December pointing to several issues with APEC's certification of TRUSTe as an accountability agent capable of overseeing compliance with APEC obligations for the purpose of receiving personal data transfers from other APEC member states such as Canada. This week, APEC and TRUSTe addressed a number of the concerns, but left a few (particularly those relating to conflicts of interest between TRUSTe board members and some of the commercial organizations it is tasked with overseeing) outstanding. In brighter news, the Mexican data protection authority announced it would be officially signing the International Principles on the Application of Human Rights to Communications Surveillance (IPAHRCS-es for short!), designed to provide comprehensive suggestions on how to conduct electronic surveillance in a targeted and privacy respective manner. The IPAHRCS have now been endorsed by over 480 international organizations, experts and government officials. An eventful data privacy day, for better or worse!
In a submission filed with the Senate Committee on Legal and Constitutional Affairs in May 2007 on Bill C-31, CIPPIC objected to the expansion of personal information used for secondary purposes without the consent of electors. Under the Act, Elections Canada is required to share names and addresses from the National Register of Electors with political parties for fundraising and other campaign purposes. Bill C-31 would have added date of birth to the lists of electors shared for these purposes. As a result of opposing to this proposal by the Privacy Commissioner of Canada and CIPPIC, sharing of date of birth was removed from the bill before it was passed by the House of Commons.
Privacy in domain name registration (CIRA & ICANN)
In response to planned outsourcing by the British Columbia government of certain database administrative duties to a U.S.-linked company, the British Columbia Privacy Commissioner invited public input by August 6, 2004 on the extent to which the USA Patriot Act allows US authorities to access the personal information of British Columbians, and the implications of such access for public body compliance with privacy legislation.
New information and communication technologies such as the Internet, email, cellphones, and encryption offer individuals new ways to communicate, organize, and engage in criminal behaviours, creating challenges for law enforcement agencies in their efforts to investigate and prosecute criminal activity. On the other hand, these same technologies provide authorities with access to potentially vast amounts of personal information on individuals.
CIPPIC staff discuss issues arising from proposed lawful access legislation.
R v Fearon, 2014 SCC 77, SCC File No 35498
Chehil/MacKenzie v. Her Majesty the Queen, S.C.C. FIle Nos. 34524 & 34397
Telus Communications Company v. Her Majesty the Queen, 2013 SCC 16
PIPEDA complaint that Canada.com's decision to outsource storage of customer emails to the United States failed to provide an adequate level of protection by exposing those emails to the risk of police access through invasive surveillance powers.
Bill 622: CSEC Transparency & Accountability
On February 14, 2012, the federal government once more introduced a legislative package of lawful access bills: Bill C-30, Protecting Children from Internet Predators Act.
Lawful Access (Bills C-50, C-51 & C-52)
Government reintroduces online spying legislation (Winter 2010)
In an open letter to the House of Commons Standing Committee on Access to Information, Privacy and Ethics, CIPPIC and a number of civil society organizations voice serious concerns with respect to Bill C-29, currently before the House and scheduled for second reading early next week. The Bill, ironically dubbed the 'Safeguarding Canadians' Personal Information Act', proposes a number of amendments to Canada's federal privacy protection statute, PIPEDA. Far from improving privacy, the Bill threatens to erode civil liberties in serious ways. Even where it attempts to improve privacy, it falls short by failing to provide any incentive for compliance.
The most troubling elements of the Bill pave the way to a dramatic expansion in the ways in which private businesses can be used in investigations against their own customers. While privacy should never be a bar to legitimate investigations of actual wrongs, the law provides mechanisms such as warrants, production orders, mandatory disclosure laws, and discovery processes that ensure investigations can occur with proper safeguards in place. This Bill essentially bypasses all of these safeguards by adding and expanding exceptions that permit organizations to simply give away their customer's information and includes elements evocative of the US PATRIOT Act and all the civil liberties violations that accompanied it.
Canada's 2010 Digital Economy Consultation
Bills C-46 & C-47, collectively the 'lawful access' or 'online surveillance' legislation, introduced on June 18, 2009.
Public Safety Canada consultations on online surveillance legislation (Fall 2007)
On November 15, 2005, the federal government introduced Bill C-74, the Modernization of Investigative Techniques Act (MITA), "an act to compel all telephone and Internet companies to create and maintain infrastructures that are intercept capable and to provide access to basic subscriber contact information such as a name, address or telephone number." Note that this bill does not introduce new Production Orders, Preservation Orders, or other Criminal Code amendments that are described below as part of the broader package of "Lawful Access" proposals on which the government has been consulting.
Department of Justice consultations on electronic surveillance legislation, March 2005