The B.C. Civil Liberties Association (BCCLA) is the oldest and most active civil liberties group in Canada. We are a group of citizens who volunteer our energy and talents to fulfill our mandate: to preserve, defend, maintain and extend civil liberties and human rights in British Columbia and across Canada. We are a charitable, non-profit society.
Privacy is an important part of the BCCLA’s mandate. Over the years, we have become a leading advocate for the privacy rights of British Columbians and we have been involved in number of high profile dossiers in this area, including the Anti-terrorism Act and the API-PNR database.
Before providing our substantive comments, we wish to note that the consultation document is quite vague about what the government of Canada is actually proposing. Other than a few suggested definitions, the consultation document is couched in generalities and lacks specifics about what measures the government plans on instituting. Because of this, our comments will necessarily be at a similar level of abstraction. We look forward to the opportunity to respond to whatever legislative proposals are brought before a parliamentary committee.
Why does the government believe the proposed action is necessary?
The Consultation Document sets out three general rationales for the proposals being made.
Rapidly evolving technological environment
The first is the rapidly evolving telecommunications environment, which the paper says “can make it more difficult to gather the information required to carry out effective investigations.” p.3
The principal difficulties appear to be technological, and the paper cites new calling options for wireline communications, expansion of wireless communications and the Internet as areas where law enforcement and national security organizations have had difficulty in gaining access to data. The government proposes placing requirements on service providers to facilitate this access.
In fact, at the Vancouver consultation meeting with government officials, an often repeated theme was that the government was looking to “shift the costs” of surveillance onto service providers directly and onto citizens indirectly if service providers opt to pass along these costs to consumers.
This would be a remarkable shift in approach from current practice, where surveillance of citizens is carried out by law enforcement or security agencies and their costs are considered to be the costs of doing the job Parliament has assigned them. Parliament allocates funds for these activities and the agencies are expected to live within their budgets. What is being proposed is a form of licensing fee on service providers who will be required to assume these costs in order to be allowed to operate.
This is not so much a simple response to technological developments that would allow continuation of current practices as a seismic shift in how surveillance is carried out and paid for. The fact that new technologies pose challenges for law enforcement and security organizations does not justify what is being proposed. The government must show clearly that there is no way that the current system can operate, not that it will cost more money or be inconvenient for those doing the monitoring of citizens.
Implementation of the Council of Europe Convention on Cyber-crime
The second rationale being put forward by the government is the need to ratify the Council of Europe Convention on Cyber-crime. This treaty is the latest in a series on mutual legal assistance, and is designed to facilitate combating international computer and Internet-based crime, including child pornography, propagation of viruses, on-line fraud, etc.
The Consultation Document states that most of the legislative authority is already exists in Canada, but that three additional measures would have to be added to the Criminal Code before Canada can ratify the treaty. These are:
provisions for a production order;
provisions for a preservation order; and
an offence in relation to computer viruses not yet deployed
These are not minor amendments. The notion of a preservation order is unknown in Canadian law, and would be a major shift in Canadian criminal law and a bigger incursion into the privacy of Canadians. This goes well beyond simply maintaining existing lawful access capabilities.
Production orders are a very limited concept in the Criminal Code, and the proposals appear to propose a huge expansion of their use and availability. Again, we are looking at major changes to Canadian criminal law and bigger incursions into the private lives of Canadians.
The government says these power are needed to fight crimes against the Internet or crimes being carried out using the Internet, and we have to do this in order to ratify the treaty. It should be noted that the Convention on Cyber-crime has been in existence for barely a year, with 34 states (including Canada) having signed it. For the Convention to enter into force five countries must ratify it, including three member countries of the council of Europe. To date, only Croatia and Albania have ratified the treaty.
This means the Convention is not yet in force, and the government has not indicated when this is likely to happen. If there is no functioning treaty to take part in, Canadians should take the time to carefully consider the implications of what is being proposed for their historic civil liberties.
Furthermore, the treaty provides for reservations by federal states. None have been filed as yet, but the United states has not ratified the Convention. We do not know which states may seek reservations from some provisions of the treaty. It would be prudent for Canada to see what its largest trading partner and the country with which we are most closely integrated in terms of our communications system is going to do and respond appropriately.
Finally, we raise the difficulty we have with the argument that otherwise unjustifiable policy changes must be made because a treaty requires that we do it. There is a high risk of policy laundering, where a government seeks to avoid or sidestep scrutiny (and the consequent criticism and political cost) by legislatures, the media or the public by saying “the treaty made us do it.” .
Public policy objectives
The consultation paper refers to the 2001 Speech from the Throne (SFT) as promising action to deal with cyber-crime, a promise the government argues it is keeping by bringing in these proposals. The relevant section of the 2001 SFT is reproduced below.
“The Government will focus on safeguarding Canadians from new and emerging forms of crime. It will provide enhanced law enforcement tools to deal with emerging threats to security, such as cyber-crime and terrorism. It will act to safeguard children from crime, including criminals on the Internet.”
However the Consultation Document does not refer to another part of the SFT, which actually precedes the pledge on cyber-crime. It is reproduced below.
“It will also modernize federal privacy law to safeguard the personal information of Canadians and provide better copyright protection for new ideas and knowledge.”
The 2001 Throne Speech actually acknowledges the need for a balance between the need to fight crime on the Internet and protect the privacy rights of Canadians. To date, we have not seen any action on this pledge. This speaks volumes about the priorities of the government, especially when considered in light of the various measures which have been taken to restrict and infringe the privacy rights of Canadians in the name of the fight against terrorism. The Right to Privacy Generally The BCCLA position on the right to privacy, with respect to surveillance by state agencies, runs on two parallel lines.
These two tracks were set out by the Supreme Court of Canada in R. v. Dyment, in the following words: “Grounded in man’s physical and moral autonomy, privacy is essential for the well-being of the individual. For this reason alone, it is worthy of constitutional protection, but it also has profound significance for the public order. The restraints imposed on government to pry into the lives of the citizen go to the essence of a democratic state.” R. v. Dyment,  2 S.C.R. 417, at pp. 427-8.
Human beings prize privacy as one of the essential features of a liveable environment. Being subject to relentless scrutiny, particularly when that scrutiny involves the vast resources and punitive powers of a state, makes for less human happiness. The ability to communicate to our fellow human beings freely and without the fear of any or every word we utter being recorded and scrutinized is essential for human dignity and even human health, both physical and mental. A system which would permit government and its agents to monitor all our electronic conversations would greatly diminish human happiness and human health.
It would also diminish and reduce our democratic society.
The BCCLA has a fundamental commitment to “forum democracy” as centred on a self-governing, deliberative citizenry. The People are the ultimate source of political authority in a democratic polity. Meiklejohn’s resonant battle-cry: “they must be free because they must govern” refers to the symmetry between the limited free speech privileges of legislative bodies and the limited free speech privileges of the citizenry in their forum. The BCCLA contends that this symmetry also extends to the limited privacy privileges of the executive tribunals of a democracy and the limited privacy privileges of the citizenry in their forum.
Executive privilege turns on the conviction that, without privacy protection, executive bodies are unable to discharge their duties. With every musing and speculative line of thought open to scrutiny and misinterpretation, it would be practically impossible for an executive to operate. The courts in Canada and elsewhere have repeatedly affirmed this principle, most recently in Babcock v. Canada (Attorney General) 2002 SCC 57. File No.: 28091, and have declined to allow citizens or the media access to documents which could reveal these inner private discussions among cabinet ministers.
Similarly, the ultimate rulers of the country are the people, and they must be free to discuss all matters freely, and without fear of monitoring, if the forum of the ruling citizenry is to have the uninhibited vigour it needs.
The right to privacy in law
The proposals contained in the Lawful Access consultation document engage the protections of privacy contained in the Charter of Rights and Freedoms.
The Supreme Court of Canada has repeatedly affirmed, in a number of different contexts (search warrants, (R. v. Plant), income tax audits/investigations (R. v. Jarvis, R v. Ling) possession of child pornography (R. v. Sharpe) or blood samples (R. v. Dyment) that the Charter will protect the right to privacy. It has affirmed the privacy rights of Canadians under both s.7 and s.8 of the Charter, as well as under statutes and the common law.
Section 7 reads as follows:
7. Everyone has the right to life, liberty and security of the person and the right not to be deprived thereof except in accordance with the principles of fundamental justice.
A central principle of fundamental justice is that the individual’s interest of privacy cannot be unreasonably interfered with by the state. In R. v. Sharpe, 2001 1 S.C.R. 45, the Court recognized that “freedom from state intrusion and conformist social pressures is integral to individual flourishing and diversity”, and also stated that “Privacy, while not expressly protected by the Charter, is an important value underlying the s. 8 guarantees against unreasonable search and seizure and the s. 7 liberty guarantee.” (At para 26)
In the context of the lawful access proposals, there values as state are clearly of the highest order. They are individual communications for which individuals assume the state will not be monitoring. Likewise, traffic data being considered for protection and production orders is so intimately connected to the privacy of the individual that the highest level of protection must be in place to protect it. The “full panoply” of Charter rights will undoubtedly be engaged to protect the individual from such surveillance.
Section 8 of the Charter provides that:
8. Everyone has the right to be secure against unreasonable search or seizure.
In fact, section 8 protects a reasonable expectation of privacy. What makes up a reasonable expectation of privacy is will depend on the context, and “an assessment must be made as to whether in a particular situation the public’s interest in being left alone by government must give way to the government’s interest in intruding on the individual’s privacy in order to advance its goals, notably those of law enforcement” (Hunter v. Southam Inc., supra, at 159-60, per Dickson J. (as he then was).
“The guarantee of security from unreasonable search and seizure only protects a reasonable expectation. This limitation on the right guaranteed by s. 8, whether it is expressed negatively as freedom from “unreasonable” search and seizure, or positively as an entitlement to a “reasonable” expectation of privacy, indicates that an assessment must be made as to whether in a particular situation the public’s interest in being left alone by government must give way to the government’s interest in intruding on the individual’s privacy in order to advance its goals, notably those of law enforcement.” R. v. Dyment,  2 S.C.R. 417, at 428.
The Supreme Court has looked at the reasonable expectation of privacy in a number of different contexts. They have held that commercial documents may include a reasonable expectation of privacy (Thomson Newspapers), but this may be lower than for personal information, especially when those documents are produced for regulated activities. It was also held that there was a reduced expectation for Employment Insurance information (R. v. Smith) and documents prepared for tax purposes, since they are subject to audit. “taxpayers have very little privacy interest in the materials and records that they are obliged to keep under the ITA, and that they are obliged to produce during an audit.”(R. v. Jarvis)
The Consultation Document cites the decision of the Supreme Court of Canada in R. v. Plant,  3 S.C.R. 281 to support its view that subscriber traffic data is subject to a lower level of protection under s.8 than content or conversations or e-mails. In fact, the case says something very different.
In R. v. Plant at 293, Sopinka J. listed several factors that will determine the parameters of the protection afforded by s. 8 with respect to informational privacy. These include consideration of such factors as:
the nature of the information itself,
the nature of the relationship between the party releasing the information and the party claiming its confidentiality,
the place where the information was obtained, the manner in which it was obtained, and
the seriousness of the crime being investigated
Plant involved a marijuana grow-operation in a residential house. The police received a tip about the operation, did a perimeter search of the house, which they noticed had covered windows (a common characteristic of grow-ops). They used a computer to gain access to the hydro records of the house, which were four times higher than normal for a similar sized house in the city. This access to customer records was granted to police by Calgary Hydro on an on-going basis. The police obtained a search warrant and charges followed.
The constitutionality of the various searches were challenged by the accused, but for the purposes of this discussion the computerized hydro records are the most relevant.
Sopinka, J stated that section 8 seeks to protect “a biographical core of information which individuals in a free and democratic society would wish to maintain and control from dissemination to the state.” (at 293). He also wrote that this is the type of information “which tends to reveal intimate details of the lifestyle and personal choices of the individual.”
In Plant, the court held that hydro records were not the kinds of information which a client would have a reasonable expectation of privacy. Significantly, Sopinka J. drew the distinction between the hydro records and records maintained in the personal computer of a private citizen, but also noted that the records in Plant were “close to the line”. McLachlin J., (as she then was) concurred in the result, but was of the view that the search of the hydro records crossed the line and a warrant was required to gain access to them. This was because “the very reason the police wanted the records was to learn about the appellant’s personal lifestyle.” (at 302)
It is submitted that the records to which the lawful access proposals would apply are closer to those on an individual’s computer than they are to hydro records, as McLachlin J. indicated in Plant:
“Computers may and should be private places, where the information they contain is subject to legal protection arising from a reasonable expectation of privacy. Computers may contain a wealth of personal information. Depending on its character, that information may be as private as any found in a dwelling house of hotel room.” (at 303- 04)
In fact, the records proposed and electronic conversations which the government has identified under its Lawful Access proposals are closer to telephone conversations than they are to files on a computer hard drive. The way Canadians use e-mail is much closer to the way they converse on a telephone than an exchange of letters. Cellular phone records can show a person’s movements from one cell zone to another. Records of surfing of the Internet would reveal some of the most intimate details of a person’s private life.
For all these reasons, we are of the view that the electronic interception proposed in the Consultation Document should be given the highest level of protection, equal to the interception of private communications (wiretaps). Anything less would be a diminution of Canadians’ privacy rights.
What is being proposed? What is the extent of the infringement being proposed?
The overall scheme being proposed is a radical reordering of how surveillance is carried out in this country. All service providers will be required to ensure that the authorities of the state will be able to monitor various types of electronic communications.
The first step to be taken by the authorities would be a preservation order which would require the service provider to “store and save existing data that is specific to a transaction or client.” at 13 This is supposed to be a temporary measure until authorities would be able to get a proper judicial order. It would be approved either judicially, or in “exigent circumstances” by the law enforcement agencies directly without a judicial order.
A production order would be judicially authorized and it would require the service provider to deliver the data to law enforcement officials within a certain period of time. The Consultation Document foresees two types of production orders.
A general production order would be the equivalent to a search warrant, and require the production of documents.
A specific production order would apply to traffic data, and the Consultation document states that this and other traffic data is subject to a lower expectation of privacy.
The BCCLA has a number of points of contention with this approach.
First, we do not accept that a search of electronic communications information as part of a criminal investigation involves a lower expectation of privacy at any point. As indicated in R. v. Plant, computer information is much more personal than hydro records, which the court found were a borderline case and close to the edge for requiring a warrant to be examined. Certainly, there should never be an order issued for the preservation of either traffic or content data on the simple say-so of law enforcement authorities.
We also share the concern expressed by the Privacy Commissioner of Canada that the two- part process between judicial authorization of a preservation order and a production order could result in a situation where neither judge conducts the rigorous examination of the allegations supporting the application for the order, on the assumption the other judge has/will do it.
It is apparent that preservation orders pose a great threat to civil liberties, and the Consultation Document’s proposals do not provide anywhere near sufficient safeguards for this radical concept to be incorporated into Canadian criminal law.
The proposal for production orders also betrays a view that the collection of communications data is only slightly more intrusive than monitoring hydro consumption records. However, as the Supreme Court stated in Plant, hydro records themselves are a borderline case, so it appears anything beyond that would entail a reasonable expectation of privacy and the full range of protections under the Charter.
As for retention orders, we will not outline our views as officials have indicated that retention orders are not being planned by the government. However, we wish to state that the concerns we have expressed regarding preservation orders would be increased exponentially if retention orders are being contemplated either now or in the future. We also express some pessimism on this point given the actions of some other signatories to the Convention on Cyber-Crime, specifically the United Kingdom, to set up a system of data retention.
What legal and practical safeguards will be in place?
Article 15 of the Convention provides for the parties to adhere to certain minimum safeguards for the protection of human rights.
Article 15 – Conditions and safeguards
1. Each Party shall ensure that the establishment, implementation and application of the powers and procedures provided for in this Section are subject to conditions and safeguards provided for under its domestic law, which shall provide for the adequate protection of human rights and liberties, including rights arising pursuant to obligations it has undertaken under the 1950 Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms, the 1966 United Nations International Covenant on Civil and Political Rights, and other applicable international human rights instruments, and which shall incorporate the principle of proportionality.
2. Such conditions and safeguards shall, as appropriate in view of the nature of the power or procedure concerned, inter alia, include judicial or other independent supervision, grounds justifying application, and limitation on the scope and the duration of such power or procedure.
3. To the extent that it is consistent with the public interest, in particular the sound administration of justice, a Party shall consider the impact of the powers and procedures in this Section upon the rights, responsibilities and legitimate interests of third parties.
The Consultation Document does not talk about safeguards except in generalities such as “the need for effective measures that balance the rights, privacy, safety, security and economic well being of all Canadians.” (p.5) As noted above, the proposals exhibit a cavalier attitude to the privacy rights of Canadians, particularly with regard to communications traffic data.
It is strongly recommended that the traditional and proven safeguard of judicially authorized warrants be used where the government can justify the need for such warrants.
How likely are the new measures to achieve the desired result?
It seems unlikely that the measures being proposed will have the effect of reducing significantly the types of organized criminal activity set out in the consultation document. There are two principal reasons for this belief.
If these proposals are enacted, it will become much more common for anyone using the Internet to use various types of encryption if they are interested in maintaining a degree of personal privacy. This is going to become increasingly common as people become more and more aware that their e mails are subject to intercept for a variety of reasons.
For criminals and terrorists, it can be safely assumed that if they are at all organized, they will already be using encryption for electronic communications related to their criminal activity. This will mean that the government will primarily be able to intercept the communications of low-level criminals, or individuals who are downloading pornography or discussing minor criminal activity.
To go after the big fish, the government will have to come back with new proposals prohibiting the use of encryption by everyone. That is the next logical step following the new philosophy that the citizen must ensure the state is able to eavesdrop on any and all conversations.
Criminals likely to move to private networks to avoid detection
Organized crime and terrorists are also likely to avoid the whole realm of service providers and public networks by setting up their own private networks to send electronic communications among themselves. This will have the effect of avoiding all the measures now being proposed by the government. If the use of private networks becomes widespread, the government will have to bring in new legislation to address the communications of criminals and terrorists.
Other recent incursions by government on the right to privacy
These proposals for lawful access are only the most recent government action which dramatically reduces the privacy rights of Canadians. The following section sets out the context in which these proposals are being made, and it shows a relentless incursion into the privacy rights of Canadians.
The Anti-terrorism Act
The Anti-terrorism Act contains extraordinary forms of lawful interception of telecommunications. While the Consultation Document considers the routine requirement of judicial authorization for the lawful access of enforcement authorities to private communications, it ignores the extraordinary powers now legally vested in CSIS and the Communications Security Establishment to undertake surveillance at the sole behest of the Minister of National Defence. Further, Bill C-36 explicitly provided for the OPERATIONAL integration of CSE assets and police authorities.
Now that the enormous electronic sigint assets of the CSE have been turned toward domestic targets, it faces new challenges of scale, and the proposals are very much concerned to facilitate an enormous scaling-up of the Government’s surveillance activities. Consider, for instance, the suggestion that preservation orders be in force for a minimum of 90 days while the government seeks judicial authorization to intercept specific communications. Such a huge period of time makes no sense in “specific” cases, but eminent sense in those circumstances where the government is seeking wholesale access to entire groups of communications which will be machine-screened for suspicious contents.
We must note that in the Moussaoui and similar cases, the identification of a terrorism suspect often only occurs after they act. A 90 day preservation order at that time will often yield nothing, logically leading the government to expand its preservation requirements into retention requirements.
The Public Safety Act (Bill C-17)
This legislation, which is now before a legislative committee, would also have the effect of opening the private lives of Canadians to greater government scrutiny. RCMP officers would have access to the AIP-PNR database for the purpose of transportation security which identifies a number of different personal characteristics of air passengers.
This database already provides access to air passenger data for the Canada Customs and Revenue Agency (CCRA) which is able to retain it for 6 years and use it for a variety of purposes. It has also been expanded to include information on passengers using other means of transportation We have already voiced our concern about this database to the minister responsible, as have a number of other groups and the federal and several provincial Privacy Commissioners.
The creation of the Total Information Awareness Program in the United States is also a great concern, given the amount of data from Canada with either flows through or is processed in the United States. This system is designed to collect and retain the maximum amount of personal information available on everyone, then sort it for various patterns of behaviour.
Such a system is abhorrent, and it goes well beyond what is being proposed in this document. However, given the various linkages between security and law enforcement agencies in our two countries, we wonder how long it will take for Canadian agencies to have their American colleagues do their electronic surveillance for them.
In the final analysis, we are not convinced that these proposals should go forward.
There has been no need demonstrated which would justify the massive intrusion into the private lives of Canadians and the reversal of protections against unreasonable search and seize. The government simply states that it is more complicated to conduct electronic surveillance, not that it is impossible to do. The Council of Europe Convention on Cyber-crime is not in effect, and there is no indication that it will be anytime soon. We also don’t know what reservations might be made under the treaty by other federal states, including some of our closest allies and trading partners. A vague promise made in the Speech From the Throne before last is also a less than convincing rationale for allowing huge incursions into our civil liberties.
In addition to being a massive intrusion, these proposals would also require Canadians and/or their service providers to pay for the surveillance being conducted on them and their fellow citizens. This philosophy reached its absurd final result in Germany this year when customers subject to wiretaps were billed for this ‘service’. What the Government of Canada is proposing here is that everyone will be billed, but only some of us will be bugged.
This is wrong in principle and will be impractical in operation.
The lack of safeguards for privacy are also disturbing, as is the expressed view that traffic data is somehow not revealing of a person’s private life and therefore not worthy of protection.
We are also unconvinced that what is being proposed here would actually help fight organized crime or terrorism. What is more likely is that agencies of the state will have much more access to the private lives of ordinary Canadians, and will prosecute some of them for looking at forbidden material or having unguarded electronic conversations. Serious criminals and terrorists are unlikely to be careless enough to fall within the ambit of these proposed measures.
This brings us to the other shoe, which will drop once it becomes apparent that these ‘lawful access’ measures are insufficient for the government’s purposes. We will then see legislation banning encryption, restrictions on private networks as well as data retention orders. These will all be justified on the same flimsy basis as these proposals.
Whatever speculative (and we stress the word speculative) advantage might be gained for law enforcement and security authorities by the legislative measures proposed in this consultation document, the acceptance of its proposals would have the certain effect of sweeping away the privacy rights of Canadians in the electronic sphere without having a significant effect on crime or terrorism.
Requiring the citizenry – at their own cost – to only communicate in ways that facilitate state surveillance, and to provide for at least partial records of all of their digital communications, strikes at the heart of both civil and human privacy rights. It envisages a body of law that prohibits communication at a volume lower than a stage whisper, lest government agents meet with difficulty in eavesdropping; and also requires the citizenry to record their conversations against the contingency that the state may wish to refer to them at some later time. This is fundamentally wrong, and we will use every resource available to us to fight it root and branch.