Investigative Capabilities in a Digital World

Answer this section here

  • How can the Government address challenges to law enforcement and national security investigations posed by the evolving technological landscape in a manner that is consistent with Canadian values, including respect for privacy, provision of security and the protection of economic interests?

The Government should adhere to decisions of the Supreme Court and the findings of the Office of Privacy Commissioner, and engage on a sustained basis with legal experts and human right and civil liberties organisations for guidance into addressing challenges while respecting the Charter and international human rights obligations.

  • In the physical world, if the police obtain a search warrant from a judge to enter your home to conduct an investigation, they are authorized to access your home. Should investigative agencies operate any differently in the digital world?

The digital world and the physical world are very different: the former is infinite and the latter is very narrow. As such, a warrant allowing search and seizure in a home will not necessarily be able to give access to private information such as bank or medical records that a warrant for a digital device would. If digital access is needed for an investigation, it should be limited to what security agents are looking for in order to directly prevent or prove a specific crime. It should not apply to a device in its entirety, which could lead to important privacy violations.

  • Currently, investigative agencies have tools in the digital world similar to those in the physical world. As this document shows, there is concern that these tools may not be as effective in the digital world as in the physical world. Should the Government update these tools to better support digital/online investigations?

The Snowden revelations and the work of several journalists and newspapers have revealed that investigative agencies already possess and use too many intrusive technology and tools to access information in the digital world. Canada’s national security agencies’ capability to conduct mass surveillance, legally or illegally, has highly contributed to the ongoing erosion of privacy and Canadians’ Charter rights. These tools should actually be scaled back.

For example, CSEC helped the NSA to create a “back door” in an encryption key used worldwide, has spied on Canadians using public WiFi networks, has captured millions of downloads daily, has engaged in mass Internet surveillance of file-sharing sites, has developed cyber-warfare tools to hack into computers and phones all over the world, and has shared information on Canadians with its foreign partners without proper measures to protect privacy.

More recently, a SIRC report analyzed a little-known program of bulk data collection operated by CSIS since 2006. Two troubling points were revealed: First, SIRC disagreed with CSIS over the agency’s classification of some of its bulk data collection of private information as “publicly available” and “openly sourced,” for which CSIC claim they do not need to meet the “strict necessity” requirement for data collection. Second, and even more troubling, was SIRC’s finding regarding the datasets that CSIC classified as meeting the requirement of “strict necessity”: “SIRC found no evidence to indicate that CSIS had appropriately considered the threshold as required in the CSIS Act.” It is impossible to read this as indicating anything other than contempt for the law. This is so serious a matter that SIRC called for the immediate halt to the acquisition of bulk data sets until there is a system in place to confirm compliance with the law. A Federal Court recently ruled that this bulk data collection is illegal. Media have reported that Minister Goodale is contemplating changing the law so that CSIS can use this data. Laws should not be modified to legalize a problematic practice and allow more invasion of privacy. The collection should stop at once and CSIS should respect the law.

Finally, we are also concerned by law enforcement agencies, including the RCMP, using IMSI catchers – or stingrays – which are devices that can identify any cellphone in their vicinity. Despite being in use since at least 2005, and despite the fact that they can disrupt calls – including causing 50% of 911 calls to be dropped – the Canadian Radio-television and Telecommunications Commission (CRTC) was not aware of their use by law enforcement. There must be more transparency and regulations around the use of IMSI catchers and other new surveillance technology.

  • Is your expectation of privacy different in the digital world than in the physical world?

Absolutely. It is higher for the digital world, for the reasons specified above.

BASIC SUBSCRIBER INFORMATION (BSI)

  • Since the Spencer decision, police and national security agencies have had difficulty obtaining BSI in a timely and efficient manner. This has limited their ability to carry out their mandates, including law enforcement’s investigation of crimes. If the Government developed legislation to respond to this problem, under what circumstances should BSI (such as name, address, telephone number and email address) be available to these agencies? For example, some circumstances may include, but are not limited to: emergency circumstances, to help find a missing person, if there is suspicion of a crime, to further an investigative lead, etc.

There is a reason the Spencer decision limited access to BSI: to protect Canadians’ privacy rights. That ruling must be respected and police and national security agencies should obtain a warrant at all times when they want BSI, even when the telecommunications companies would otherwise give it voluntarily. In some true emergency situations (i.e. if a life is in danger or a crime is about to be committed), the criminal code already allows police to access BSI without a warrant.

According to digital privacy experts Tamir Israel and Christopher Parsons, in keeping with past attempts to introduce an unfettered digital identification power, the consultation documents have failed to make the case that such indiscriminate powers are needed. The documents repeat long enduring claims that current access mechanisms are ‘inconsistent and slow’, but fail to acknowledge the fact that such claims have been repeatedly discredited in the past.

Finally, in the context of this national security consultation, unfettered access to digital identifiers is presented as a national security measure intended to address critical counter-terrorism matters that are currently at the forefront of national attention and concern. However, as in past attempts to introduce this legislation, the power proposed is one of general application, meaning it will be used predominantly in other investigative contexts. Further, no specific explanation is provided for why this exceptional power is necessary even in the national security context. Indeed, upon the 2013 defeat of this proposal as embodied in Bill C-30, then Director of CSIS indicated that unfettered access to subscriber identification information is “not absolutely critical for us to do our work.” While on the one hand these identification powers may not be ‘absolutely critical’ to national security, their indiscriminate availability to agencies such as CSIS and CSE can have even more serious and far-reaching privacy implications.

  • Do you consider your basic identifying information identified through BSI (such as name, home address, phone number and email address) to be as private as the contents of your emails? your personal diary? your financial records? your medical records? Why or why not?

Yes, absolutely. BSI also includes IP addresses and mobile devices’ IMSI number, and can reveal intimate details of a person’s contacts, networks, activities, lifestyle preferences, whereabouts, etc., when linked to other information. This is the opinion of the Supreme Court of Canada, and multiple evidence-based research reports have demonstrated its far-reaching capacity to invade. Replicating a trend that is regrettably evident throughout the consultation documents, the documents treat privacy in subscriber information as, at best, an afterthought. By ignoring the rich and detailed historical debate that has occurred in Canada on this matter the government has failed to acknowledge the privacy issues associated with indiscriminate access to digital identification.

  • Do you see a difference between the police having access to your name, home address and phone number, and the police having access to your Internet address, such as your IP address or email address?

Yes there is a difference. In the digital world an IP or e-mail address, when linked to other information, can reveal an infinite amount of intrusive intimate personal information.

INTERCEPTION CAPABILITY

  • The Government has made previous attempts to enact interception capability legislation. This legislation would have required domestic communications service providers to create and maintain networks that would be technically capable of intercepting communications if a court order authorized the interception. These legislative proposals were controversial with Canadians. Some were concerned about privacy intrusions. As well, the Canadian communications industry was concerned about how such laws might affect it.

According to digital privacy expert Christopher Parsons, the police have their own equipment that is capable of integrating with telecommunications carriers’ equipment, and they have the competence to install it when a carrier does not possess the surveillance capacities desired. That federal authorities have to expend their own funds to initiate such surveillance is not inherently bad, since it forces authorities to engage in a careful evaluation of where best to expend limited public funds: this means that authorities will, presumably, prioritize high-risk cases as opposed to initiating a broad surveillance infrastructure. Such economic rationales are one of the ways that society ensures police are circumspect in how broadly they engage in surveillance. With that knowledge, the concerns related to privacy intrusions and the unnecessary burdens on the communications industry (and the consumers) seem justified.

  • Should Canada’s laws help to ensure that consistent interception capabilities are available through domestic communications service provider networks when a court order authorizing interception is granted by the courts?

With a warrant, this should be allowed. However, apart from what was said in the previous response, many Canadians have also lost confidence in our national security agencies, and question their respect for our right to privacy. Recently, the public was also informed of problems of diligence among justices of the peace when issuing warrants to spy on journalists (who are not suspected of any crimes). Therefore, interception powers should be severely limited to the communications between people suspected of planning or having committed a crime; not all the communications of those people with others. Just like it’s not acceptable to open and read all letters received by an individual, it should not be acceptable to open and read all the emails of an individual. If there are communications intercepted by mistake that are not related to the crime, they should not be kept or used.

ENCRYPTION

  • If the Government were to consider options to address the challenges encryption poses in law enforcement and national security investigations, in what circumstances, if any, should investigators have the ability to compel individuals or companies to assist with decryption?

Compelling decryption could necessitate a key that will unlock the data or communications of all a company’s users. This creates a huge risk of privacy violations, and is a dangerous slippery slope towards government access to private information in general.

This proposal also rests on a violation of one of our most fundamental rights: our right against self-incrimination. It is very difficult to imagine how a law that would compel a password could be constitutional. No proposal should even be explored until we have court decisions on compelled passwords in the context of inspections by the Canadian Border Services Agency. These are cases that are already in play and will provide important guidance. If compelling a password isn’t constitutional in the context of border security, it will not be constitutional in the setting of ordinary criminal law. Finally, it has also not been demonstrated that this is necessary to conduct effective investigative work.

  • How can law enforcement and national security agencies reduce the effectiveness of encryption for individuals and organizations involved in crime or threats to the security of Canada, yet not limit the beneficial uses of encryption by those not involved in illegal activities?

That appears to be impossible. Encryption needs to work all the time, otherwise it’s not really encryption. It is now commonplace to hear law enforcement state that encryption is a barrier to their investigations. However, our entire digitally-mediated world requires strong security, so that criminals and foreign governments and rival businesses are less able to conduct surveillance on Canadian citizens: encryption keeps us all safer. We have too great a need for cyber-security to undermine it in this way.

Furthermore, recent suggestions in the media that encryption has prevented investigations from going forward, or that decrypting certain data would have been useful, are problematic. In fact, several of those investigations did not stop after facing the barrier of encryption. Also, without knowing what was encrypted, there is no evidence that encryption was a significant problem, only that there was some information that could not be readily accessed.

DATA RETENTION

  • Should the law require Canadian service providers to keep telecommunications data for a certain period to ensure that it is available if law enforcement and national security agencies need it for their investigations and a court authorizes access?

The police already have the power to obtain a Preservation Order, which a judge can grant based on a low threshold, and allows the police to require preservation of information in particular cases. For example, cases in which it will take time to get a search warrant and the information is in danger of being destroyed. What the Green Paper asks is whether telecommunications companies should just be required to retain data for long periods of time, just in case the police need itRather like a global preservation order.

The 2014 Court of Justice of the European Union struck down the EU “Data Retention Directive” because the blanket retention of innocent persons’ data violates the EU Charter of Fundamental Rights. It is at least possible that it would violate our Charter as well. So evidence must be produced to show that current powers are insufficient before any consideration is given to a policy that has already been rejected in Europe as a violation of fundamental rights.

  • If the Government of Canada were to enact a general data retention requirement, what type of data should be included or excluded? How long should this information be kept?

The Governement of Canada should not enact a general data retention requirement.