From bad to… worse
Quebec has just announced a public inquiry examining admissions by the province’s two largest police forces that they have been spying on journalists. These revelations are timely, to say the least.
While Canadians read news reports of how previously expanded police surveillance powers (warrants for GPS monitoring and tracking) have been undermining press freedom, the federal government is gearing up to expand police and intelligence surveillance powers even further.
To the dismay of Canadians hoping to have good faith discussions about dangerously expanded and unaccountable state powers, the government’s Green Paper for the National Security Consultation includes a sales pitch for a laundry list of further expanded state surveillance powers.
Some of the specific ideas in the paper include:
- Basic Subscriber Information: Giving police and intelligence agencies information about telecommunications customers without a warrant.
- Data retention: Creating a requirement that telecommunications providers store telecommunications in case police or intelligence agencies want to access it at a later time.
- Compelled passwords: Creating a legal procedure that would compel a person or organization to decrypt material.
None of these proposals relates exclusively or even mainly to national security. They are all expansions of powers that would apply across all general, domestic policing. And nowhere in the ‘digital investigations’ section of the Green Paper do we find a discussion of the need for appropriate constraint and oversight of the secretly used surveillance technologies that have been the subject of breaking news across the country for the better part of the last year, like police use of Stingrays.
Basic Subscriber Information
For more than a decade there has been a fierce battle about police accessing what is currently called Basic Subscriber Information (BSI). This is information about a telecommunications customer and can include their name, address, phone number, email address, Internet Protocol (IP) address and mobile devices’ unique identifier (IMSI number). The battle has been about what kind of legal protection this information should have. And that depends on whether there is a “reasonable expectation of privacy” in this information.
As Chris Parsons and Tamir Israel explain in this paper this information can potentially expose not only a detailed biographical profile, but a rough map of your physical locations as well. In other words, it’s not “basic” in the least. And in 2014 the Supreme Court of Canada agreed in a case called R. v. Spencer, 2014 SCC 43.
Since that time we have known without question that there is a significant privacy interest in this information and it should not be available to police for the asking. There’s a pretty standard procedure for dealing with these situations and it’s called a warrant. But the Green Paper seemingly argues against warrants, pointing out that in some other countries police and intelligence agencies can access BSI without going to court.
There is reason to think that the police might be lobbying for a procedure in which they themselves would provide the “warrant” for BSI. That is, an investigating officer goes to a designated officer, gives reasons and gets authorized. Would such ‘self-authorization’ be a sufficient constitutional protection for information that can track you online and in the physical world? Assuredly not.
Bottomline: BSI must be protected by court oversight on a standard appropriate to its significant privacy interest.
The police already have the power to get a Preservation Order, which is available from a judge on a low standard and allows the police to require preservation of information in cases, for example, in which it will take time to get a search warrant and the information is in danger of being destroyed. What the Green Paper asks is whether telecommunications companies should just be required to retain data for long periods of time, just in case the police need it. Rather like a global preservation order.
Retaining data that isn’t needed for business purposes creates a security risk. But concerns go beyond data security, as illustrated by the 2014 Court of Justice of the European Union striking down the EU “Data Retention Directive” because the blanket retention of innocent persons’ data violates the EU Charter of Fundamental Rights. It is at least possible that it would violate our Charter as well. So at the very minimum, we need to hear from law enforcement as to why preservation orders are insufficient and understand the magnitude of the problems they allege with the current system.
Bottomline: Evidence must be produced to show that current powers are insufficient before any consideration is given to a policy that has already been rejected in Europe as a violation of fundamental rights.
It is now commonplace to hear law enforcement state that encryption is a barrier to their investigations. However, our entire digitally-mediated world requires strong security, so increasingly the idea of weakening encryption is a non-starter. We have too great a need for cyber-security to undermine it. So, it is perhaps unsurprising that the notion of a court-compelled password/decrypting power is being vetted.
The problem with the proposal is that it rests on a violation of one of our most fundamental rights. Even if you have no notion of what’s in the Charter, you would know one thing for certain from watching police shows on TV: you have the right to remain silent. This is our right against self-incrimination and it has been called “the organizing principle of our criminal justice system.”
It is very difficult to imagine how a compelled password-type law could be constitutional.
Bottomline: No proposal should even be explored until we have court decisions on compelled passwords in the context of inspections by Canadian Border Services Agency. These are cases that are already in play and will provide important guidance. If compelled passwords aren’t constitutional in the border setting, they certainly won’t be constitutional in the setting of the ordinary criminal law.
The need for mass surveillance warrants: Stingrays
In 2016 we learned that police in all parts of the country had used devices known colloquially as “Stingrays” which intercept cellphone data. Our understanding of the procedures that are being followed for authorizations of these mass surveillance tools (they gather data of all of the people in a given radius) is sketchy. What little we know indicates that the police may be getting court authorizations, but we have reason to believe that those authorizations are likely over-broad and leave the matter of what to do with the hundreds or thousands of people’s data that are not the subject of the search entirely to the discretion of the police.
We know that the police are using these devices, although they largely maintain (absurdly at this point) a ‘neither confirm nor deny’ stance. We don’t know whether CSIS is using these devices, but we do know that CSIS refuses to even confirm to Parliament whether they take the position that they require a warrant if they were to use such devices. That CSIS will not answer this fundamental question about their own accountability is as shocking as it is (at this juncture) unsurprising.
Bottomline: We have mass-surveillance technologies (like Stingrays) and we have mass surveillance techniques (like “tower dumps” – police using production orders for phone records of masses of people) and both present unique challenges, in particular with respect to all the innocent people’s data that is incidentally scooped up. We need a special warrant process for mass surveillance technologies and techniques to ensure that rights are properly protected and these processes aren’t being abused.
How concerned should we be about processes being abused?
Well, I thought this week’s headline about the spying-on-journalists scandal provided some timely reflection on what happens when ‘things go wrong’. But it doesn’t answer the question of how often do ‘things go wrong’?
Interestingly enough, another headline from the same day points to the answer… It’s about illegal mass data collection and CSIS breaching their duty of candour to the court for years.
It’s the afternoon headline.