CIPPIC, OpenMedia and Canadian Journalists for Free Expression have released a primer on Bill C-51, the government's latest initiative to expand its state security apparatus. As the primer explains the Bill, which has been opposed from broad segments of Canadian society, signals a dramatic new direction for Canadian security. Presented as anti-terror legislation, the Bill adopts an excessive approach that will harm online innovation, political discourse and our civil liberties. It will reverse Canada’s rich multicultural heritage and replace it with an atmosphere of fear, distrust and racial profiling – where neighbours are encouraged to turn on neighbours on the basis of ‘reasonable fears’. The Bill was drafted and defended in an atmosphere openly hostile to civil liberties, and this is reflected in every element of it. One element of the Bill even seeks to allow our spy agencies to violate the Charter of Rights and Freedoms – our most vital protection against egregious state intrusion into our lives. It signals a return to a time when our security agencies were empowered to carry out dirty tricks against our citizens – and did so with impunity.
It fails to address long standing and well-documented problems with Canada’s already excessively broad security powers, the misuse of which has led to the torture, detention, flight restriction and privacy invasion of many innocent Canadians since they were introduced post 9/11. Innocent Canadians’ lives have been ruined. This Bill not only fails to remedy those flaws, it replicates and expands the underlying problems without adding any meaningful safeguards to ensure the expansive powers it grants will not be similarly abused. It is little wonder that few who have carefully examined the Bill can fully support it in its current form. In spite of this, the government is currently rushing the Bill through not just one house of parliament, but both.
Data Privacy Day (a.k.a. Data Protection Day) 2015 marked a range of developments - some good, some bad, all significant. Data Privacy Day is celebrated annually to commemorate the world's first data protection treaty: the Council of Europe's Convention 108. This year, the day began with a series of startling revelations from CBC, which released documents acquired through former NSA Analyst Edward Snowden detailing a comprehensive electronic surveillance program that monitored various file upload sites around the world. The program, implemented by Canada's foreign intelligence agency, CSEC, involved combing through its comprehensive meta-data-bases in order to identify individuals uploading or accessing 'questionable' documents on sites such as MegaUpload and Rapidshare. Visitors to such documents are then subjected to intense meta-data-scrutiny in order to find their identity through such things as Facebook and email login cookies. Aside from the millions of documents tracked by the program daily, the program demonstrates an immensely invasive capacity that can emerge from mere analysis of the metadata held by CSEC and its Five EYEs partners. Far from acknowledging these concerns, we expect more of the same, with State promises to introduce expanded lone wolf surveillance powers this Friday.
Some tentatively promising developments from APEC also came this week. CIPPIC had endorsed a letter sent by a number of privacy groups in late December pointing to several issues with APEC's certification of TRUSTe as an accountability agent capable of overseeing compliance with APEC obligations for the purpose of receiving personal data transfers from other APEC member states such as Canada. This week, APEC and TRUSTe addressed a number of the concerns, but left a few (particularly those relating to conflicts of interest between TRUSTe board members and some of the commercial organizations it is tasked with overseeing) outstanding. In brighter news, the Mexican data protection authority announced it would be officially signing the International Principles on the Application of Human Rights to Communications Surveillance (IPAHRCS-es for short!), designed to provide comprehensive suggestions on how to conduct electronic surveillance in a targeted and privacy respective manner. The IPAHRCS have now been endorsed by over 480 international organizations, experts and government officials. An eventful data privacy day, for better or worse!
The Supreme Court of Canada issued its decision in R. v. Fearon, 2014 SCC 77, today, which addressed whether law enforcement could indiscriminately search the mobile devices of individuals upon arrest. Whereas the Charter requires prior judicial authorization based on reasonable grounds in most instances, law enforcement are granted more latitude when searching individuals under arrest. The question in Fearon (and in a similar appeal heard by the United States Supreme Court around the same time - Riley v. California, 134 St.Ct. 2473 (2014), was whether this broad rule should be applied to mobile devices given the rich amounts of information contained on these devices. In its intervention, CIPPIC argued that the breadth of the power to search on arrest combined with the ubiquitous use and far-ranging data contained on mobile devices will leave few instances where law enforcement cannot rummage through cell phones.
While acknowledging the high privacy interest in mobile devices requires limiting access on arrest to situations where an immediate investigative purpose exists, a split decision of the court provided wide latitude for law enforcement to scour mobile data receptacles on arrest in many if not most instances. This is because, as noted by the dissent, mobile devices are implicated in most of our activities, so law enforcement will almost always be able to advance a general prospect that such a device might yield evidence of a witness, co-conspirator, or object of crime. Similarly, as noted by the dissent, while not each search of a mobile device will reveal sensitive information, the knowledge of an impending search is likely to have a chilling effect and, in those instances where an invasion occurs, there will not be an opportunity to remedy the issue ex post. In spite of this, the majority found that law enforcement objectives must prevail. The decision appears at odds with a string of supreme court decisions upholding additional protections for data receptacles, as well as with the United States. In the US, a concern for officer safety and the need to prevent destruction of evidence has, historically, motivated a search on arrest rule as broad as Canada's, but as the US Supreme court recently found in Riley/Wurie, this rule does not extend to mobile devices.
CIPPIC attempted to intervene at the Federal Court of Appeal on a matter that raises many fundamental issues arising from the ability of Canadian intelligence agencies to make use of the extensive -- and arguably unconstitutional -- practices of foreign intelligence partners such as the U.S. National Security Agency (NSA) and the UK Government Communications HeadQuarters (GCHQ). The proceeding, an appeal of a decision issued by Justice Mosley of the Federal Court last December, has been shrouded in secrecy due to the important national security interests it is examining. This secrecy has made it difficult for CIPPIC to attempt intervention in a timely matter and its request for directions regarding any such intervention arrived too late in the proceeding. CIPPIC will continue to monitor this file as it is likely to make its way to the Supreme Court of Canada.
Bill C-622, the CSEC Accountability and Transparency Act, introduced today by Joyce Murray, (Liberal-Vancouver Quadra), seeks to address a number of the many problems inherent in the surveillance activities of Canada's foreign intelligence signals agency, the Communications Security Establishment of Canada (CSEC). CSEC currently operates largely on its own, subject only to broadly-frame authorizations and directives from the Minister of National Defence (MND) and non-binding oversight from the CSE Commissioner. While the Bill fails to substantially restrict CSEC's mass harvesting of Canadians' data by imposing disciplined surveillance practices, it does make meaningful progress on the long list of CSEC-related problems that need to be addressed, by:
Removing the MND's capacity to authorize interception of Canadians' private communications. Such authorization can only come from a judge following an adversarial proceeding;
Adopting an inclusive definition-Protected Information-which unambiguously includes all data associated with communications, including metadata, not just content;
Imposing stricter limits on how long CSEC can retain Canadian data that is incidentally collected in its surveillance activities, however the MND may override these limits under certain conditions; and
Removing CSEC's ability to conduct 'classes of surveillance activities', but retaining its capacity spy on 'classes of persons' without any need for reasonable grounds.
In addition, the Bill enhances transparency and oversight by establishing a non-partisan parliamentary oversight committee and requiring the CSE Commissioner's annual report on CSEC activities to include greater detail. More after the jump.
A comprehensive report was issued today which examines the technical and policy response to foreign intelligence problems highlighted by the unique window into the operation of such agencies that has been provided by whistleblower Edward Snowden over the past year. The report, which focuses mostly on developments at the national level within 18 countries (there is also one EU-wide section and one section that examines the private sector), points to a strong shift in perception and growing acknowledgement and concern over foreign intelligence activities. However, in spite of this concern, it points to minimal tangible changes to date across surveyed countries (aside from the United States, where some nascent changes have already taken root).
This is perhaps not surprising -- while the Snowden revelations have certainly shined a light on foreign intelligence activities around the world, the primary focus of these documents has been the activities of the US-based NSA. In addition, while reporting on the leaks began one year ago, the staged release of these revelations has meant that a complete picture has only emerged in the past few months. It is, then, perhaps unsurprising that most changes to date have occurred in the United States or at the international level. The report was generated by privacy scholar Simon Davies. CIPPIC, in conjunction with Christopher Parsons (Citizen Lab) and Micheal Vonn (BCCLA), provided the Canada chapter.
In a submission filed with the Senate Committee on Legal and Constitutional Affairs in May 2007 on Bill C-31, CIPPIC objected to the expansion of personal information used for secondary purposes without the consent of electors. Under the Act, Elections Canada is required to share names and addresses from the National Register of Electors with political parties for fundraising and other campaign purposes. Bill C-31 would have added date of birth to the lists of electors shared for these purposes. As a result of opposing to this proposal by the Privacy Commissioner of Canada and CIPPIC, sharing of date of birth was removed from the bill before it was passed by the House of Commons.
Privacy in domain name registration (CIRA & ICANN)
In response to planned outsourcing by the British Columbia government of certain database administrative duties to a U.S.-linked company, the British Columbia Privacy Commissioner invited public input by August 6, 2004 on the extent to which the USA Patriot Act allows US authorities to access the personal information of British Columbians, and the implications of such access for public body compliance with privacy legislation.
New information and communication technologies such as the Internet, email, cellphones, and encryption offer individuals new ways to communicate, organize, and engage in criminal behaviours, creating challenges for law enforcement agencies in their efforts to investigate and prosecute criminal activity. On the other hand, these same technologies provide authorities with access to potentially vast amounts of personal information on individuals.
CIPPIC staff discuss issues arising from proposed lawful access legislation.
R. v. Fearon, S.C.C. File No. 35498
Chehil/MacKenzie v. Her Majesty the Queen, S.C.C. FIle Nos. 34524 & 34397
Telus Communications Company v. Her Majesty the Queen, 2013 SCC 16
PIPEDA complaint that Canada.com's decision to outsource storage of customer emails to the United States failed to provide an adequate level of protection by exposing those emails to the risk of police access through invasive surveillance powers.
Bill 622: CSEC Transparency & Accountability
On February 14, 2012, the federal government once more introduced a legislative package of lawful access bills: Bill C-30, Protecting Children from Internet Predators Act.
Lawful Access (Bills C-50, C-51 & C-52)
Government reintroduces online spying legislation (Winter 2010)
In an open letter to the House of Commons Standing Committee on Access to Information, Privacy and Ethics, CIPPIC and a number of civil society organizations voice serious concerns with respect to Bill C-29, currently before the House and scheduled for second reading early next week. The Bill, ironically dubbed the 'Safeguarding Canadians' Personal Information Act', proposes a number of amendments to Canada's federal privacy protection statute, PIPEDA. Far from improving privacy, the Bill threatens to erode civil liberties in serious ways. Even where it attempts to improve privacy, it falls short by failing to provide any incentive for compliance.
The most troubling elements of the Bill pave the way to a dramatic expansion in the ways in which private businesses can be used in investigations against their own customers. While privacy should never be a bar to legitimate investigations of actual wrongs, the law provides mechanisms such as warrants, production orders, mandatory disclosure laws, and discovery processes that ensure investigations can occur with proper safeguards in place. This Bill essentially bypasses all of these safeguards by adding and expanding exceptions that permit organizations to simply give away their customer's information and includes elements evocative of the US PATRIOT Act and all the civil liberties violations that accompanied it.
Canada's 2010 Digital Economy Consultation
Bills C-46 & C-47, collectively the 'lawful access' or 'online surveillance' legislation, introduced on June 18, 2009.
Public Safety Canada consultations on online surveillance legislation (Fall 2007)
On November 15, 2005, the federal government introduced Bill C-74, the Modernization of Investigative Techniques Act (MITA), "an act to compel all telephone and Internet companies to create and maintain infrastructures that are intercept capable and to provide access to basic subscriber contact information such as a name, address or telephone number." Note that this bill does not introduce new Production Orders, Preservation Orders, or other Criminal Code amendments that are described below as part of the broader package of "Lawful Access" proposals on which the government has been consulting.
Department of Justice consultations on electronic surveillance legislation, March 2005