CIPPIC and the Citizen Lab, released a report today that describes and analyzes a class of covert electronic surveillance devices called cell site simulators (typically referred to as IMSI Catchers or by brand names such as 'Stingray'). IMSI Catchers operate by impersonating cell phone towers in order to trick mobile devices within range into transmitting digital identifiers, which are then used to track mobile devices or identify the otherwise anonymous individuals associated with them. The report (Executive Summary, FR) argues that the devices are inherently invasive. The geo-location and identification they facilitate engages sensitive privacy interests and, moreover, they are inherently coarse - for each target they are deployed against, the privacy of thousands of non-targeted mobile devices within range is collaterally affected. IMSI Catchers are also intrusive for their interference with the operation of mobile devices, which cannot receive or transmit any phone, text or data communications while engaged with an IMSI Catcher. This can include interference with critical communications such as emergency 911 calls.
Exacerbating the intrusive features of this electronic surveillance tool has been the cloud of secrecy that pervades its use. The report describes significant efforts by journalists and civil society, in Canada and abroad, which sought to uncover use of this device in Canada and the heavy and unnecessary yet persistent resistance these efforts have experienced. The resulting secrecy, which appears to be encouraged by non-disclosure agreements imposed on Canadian agencies by IMSI Catcher vendors, has delayed important public policy debates regarding the appropriate use of these devices, while eroding public confidence. The report calls for the imposition of a range of transparency, proportionality and mitigation measures, modeled on regulatory frameworks adopted by other jurisdictions for IMSI Catchers, by Canadian courts and legislatures for comparably intrusive electronic surveillance tools and by international normative frameworks for digital privacy protection.
Cell-site simulators, colloquially referred to as IMSI Catchers or by brand names such as "Stingrays" or "King Fisher" are surveillance tools used by state agencies to identify or track mobile devices (and, of course, the individuals associated with such devices). Compared to other surveillance devices, IMSI Catchers are inherently invasive. They are designed to impersonate cell towers, in both functionality and appearance. As a result, IMSI Catcher surveillance is broad and indiscriminate -each time an IMSI Catcher is deployed against a specific target, it interferes with all devices in range. Each time an IMSI Catcher is used against one specific target, it can interfere with the privacy of thousands, collecting the digital identifiers (IMSI, IMEI) of all mobile devices within range. With these identifiers, otherwise anonymous individuals can be geo-located or tracked. In addition to the privacy interference, IMSI Catchers interfere with the functionality of mobile devices in range, preventing them from sending or receiving phone calls, text messages or data, including emergency 911 calls.
The secrecy surrounding the use of these devices has been significant, with law enforcement agencies in Canada generally refusing to acknowledge, or even deny, whether they have ever made use of such a device. The Vancouver Police (VPD), for example, have refused to respond to a freedom of information demand from the Pivot Legal Society for any records relating to its use of these devices. CIPPIC and Christopher Parsons from Citizen Lab represented an intervener in the appeal of that refusal, OpenMedia. VPD defends its decision on the basis that acknowledging any IMSI Catcher would undermine their utility as surveillance tools. However, as we pointed out in the intervention, a lot of information is already in the public record regarding the capabilities of these devices and their use by state agencies, and there is a compelling public interest in publicizing use of these devices, to facilitate public debate regarding the appropriate parameters of their use. UPDATE: On May 25, 2016, after reviewing the record of the appeal, VPD issued a response, indicating that they do not own an IMSI Catcher and have no records relating to the use of such devices. However, ongoing questions remain regarding whether VPD has used these devices in past investigations through the aegis of the RCMP.
Canada's federal, provincial and territorial Information and Privacy Commissioners are calling for nominations for the Grace-Pépin Access to Information Award, which will honour and recognize the efforts of individuals or groups who have demonstrated an exceptional contribution to Access to Information rights in Canada. Nominees are judged based on the significance, implementation and impact of their work on the Canadian Access to Information right. The award could not be more timely, as Canada's aging Access to Information regime (which has not been substantially reformed since its introduction over 30 years ago) is in dire need of reform to bring it into the digital age.
The award also honours and commemorates its eponymous Commissioners, John Grace, former Information Commissioner of Canada, and Marcel Pépin, president and founder of the Commission d'accèss à l'information du Québec. It is typically presented during Right to Know week, celebrated each year in September. Nominations are due August 31, 2015. More details on the nomination process and requirements are available here (FR). To submit a nominee, fill out this form here (FR).
CIPPIC participated in a consultation held by the Assemblée nationale du Québec on the Province's data protection and right to information framework. The consultation sought input on a set of recommendations issued by the the Commission d'accès à l'information du Québec and designed to update Québec's freedom of information statute and privacy statute in light of technological changes.
CIPPIC's submission addressed a number of the Commission's recommendations, including issues arising from risks of re-identification, the need for data minimization obligations, the need for a right to information that extends to data that must be processed before it can be released, and the need to impose an obligation on the government to proactively disclose data useful to the public in interoperable formats.
In response to the dramatically outdated nature of Canada's now 30 year old Access to Information Act, the Office of the Information Commissioner of Canada has initiated an Open Dialogue Consultation on the need to modernize ATI. Building on submissions from fellow organizations such as BCFIPA, CIPPIC participated in the OIC's consultation, calling for the Access to Information Act to be modernized. Specific modernizations include reduced barriers to ATI requests, a 'digital first' response policy that should lower ATI response costs, and, importantly, exceptions should be narrowed and focused, and subject to a public interest override as well as the need to prove harm will result if information is not withheld. Too often are exceptions relied upon to obscure information that Canadians have a right to know.
More generally, the right to information needs to be conceived in broader terms than reflected in the ATIA. It needs to be exercised more proactively if it is to be achieve its objective within the context of a democratic and technologically innovative society. While the current ATIA focuses on information responses to individual requests, it should additionally obligate periodic and proactive disclosure of important public information. This proactive publication obligation should extend to important data sets in the government's control, so that Canadians can fully benefit from data held and generated by their government. Government-held information is a national resource, generated by public officials in the course of carrying out their public mandates and, ultimately, paid for by public funds. The outdated nature of Canada's ATI regime has become a tangible obstacle to the ability of Canadians to fully benefit from this resource. It is now time to bring our right-to-information system forward into the twenty-first century. For more information visit: http://cippic.ca/open_governance.
OpenStreetMap, a global "wikipedia of maps", demonstrates that volunteer collaborations are a force to be reckoned with in the geography world. Increasingly, crowd-sourced Volunteered Geographic Information (VGI) projects are addressing mapping needs in crisis situations. The 2010 Haitian earthquakes provoked a blossoming of such initiatives, with a mileau of volunteer mapping efforts put forth to assist with relief efforts. Similar mapping efforts are now cropping up to assist in the context of forest fires, floods, hurricanes and other disasters.
Whether you contribute to VGI projects or rely upon the information, there are some key legal issues and potential legal risks that arise in this exciting new mapping environment. CIPPIC has put together a toolkit to help keep you informed. With the assistance of Professor Chandler, CIPPIC interns Laura Crestohl and Robert Vitulano, and generous funding from the GEOIDE Network, CIPPIC presents:
The Canadian Government is moving towards treating its data as "open by default”. An exception to this default data that is "personal information" must be removed or masked before being disclosed as open data to any third party. However, these steps are not always enough to protect privacy in data, and information about individuals can be reidentified after the open data is released. This FAQ examines this conflict between privacy and open data.
- What is open data?
- What are the requirements of open data?
- How/where is open data collected?
- Who releases open data?
- Who uses open data?
- What is the value of open data?
Open Data and Privacy
FAQ: Volunteered Geographic Information
The basic idea behind open source is very simple. When programmers can read, redistribute, and modify the source code for a piece of software, the software evolves. People improve it; people adapt it; people fix bugs. It has the potential to move at speeds that put proprietary software development to shame.
A brief "how-to" on redistributing data from one or more open data portals prepared by CIPPIC.
An analysis of the “share-alike” obligation and how, although it can serve a useful purpose in some contexts, it does not fit well with the objectives of municipal open data portals.
CIPPIC critically examines the Ottawa Open Data License with a view to recommending options for improving the ability of the license to meet the needs of the user community who will benefit from the license.
Open Data, Open Citizens?
Open data initiatives emphasize transparency. But government data often includes personal information. What happens when government open data initiatives clash with privacy? And are efforts to scrub open data of personal information sufficient to address privacy concerns? In this project, CIPPIC investigates the potential conflict between open data and privacy.
CIPPIC Report: Open Data, Open Citizens? (coming soon!)
CIPPIC Podcast: Open Data and Privacy
CIPPIC FAQ: Open Data and Privacy
Office of the Information Commissioner, 2012 Dialogue on Modernizing Access to Information
Canada's 2010 Digital Economy Consultation