News from ICLMG
New revelations of spy agency’s unlawful activities and misleading courts shows need for concrete action and accountability
OTTAWA, Sept. 2, 2020 – A federal court decision released at the end of August has revealed yet another case of the Canadian Security Intelligence Service (CSIS) engaging in potentially illegal activities to gather intelligence in support of a surveillance warrant. The decision also reveals that in applying for the warrant, CSIS not only withheld exculpatory information regarding the warrant’s target, but also misled the courts in how it presented other information.
The new revelations came as part of the ongoing efforts by lawyers for Awso Peshdary, charged with terrorism offences, to have a surveillance warrant issued against him in 2012 quashed. Presiding judge Justice James O’Reilly had originally dismissed the request in 2018, but is now reconsidering his decision given the new evidence.
This egregious breach of CSIS’ duty of candour – to make full and frank representations to the courts when applying for a warrant in an ex parte (secret) hearing – is in addition to another scathing Federal Court decision from Justice Patrick Gleeson, made public on July 16. In that decision, Justice Gleeson found that CSIS had also misled the courts, this time regarding illegal actions carried out as part of their intelligence gathering activities.
“In less than two months, we have two court decisions revealing CSIS engaged in potentially illegal activities and withheld information from the courts,” said Tim McSorley, national coordinator of the International Civil Liberties Monitoring Group (ICLMG). “This is utterly unacceptable. Government agencies cannot be allowed to lie to the courts time and again. Public Safety Minister Bill Blair and CSIS Director David Vigneault must take immediate action to put an end to this abuse of power.”
The coalition is calling on Public Safety Minister Bill Blair to immediately determine whether those who were involved in illegal activity or misleading the courts are still employed by either CSIS or the Department of Justice, and to publicly state the repercussions they have faced in light of their actions, up to and including termination of employment and judicial proceedings.
“These actions by CSIS officers not only undermine the justice system, but also demonstrate a deep disregard for the fundamental rights and freedoms of Canadians and people in Canada. No one should be subject to surveillance or other measures based on misleading information or as the result of illegal activities,” said McSorley.
The July federal court decision called for a comprehensive external review “to fully identify systemic, governance and cultural shortcomings and failures that resulted in the Canadian Security Intelligence Service engaging in operational activity that it has conceded was illegal and the resultant breach of candour.”
The National Security and Intelligence Review Agency (NSIRA) has since been tasked by the federal government to undertake this review. While this is a positive step, the duty to be candid in representations to the court is not new. In 2010, two years before the warrant in question was granted, the Supreme Court of Canada wrote, “When seeking an ex parte authorization such as a search warrant, a police officer — indeed, any informant — must be particularly careful not to “pick and choose” among the relevant facts in order to achieve the desired outcome. The informant’s obligation is to present all material facts, favourable or not.” (R v Morelli, 2010 SCC 8, [2010] 1 SCR 253 at para. 58.)
It is important to note that in these ex parte hearings, there is no opposing counsel present to challenge the claims made by CSIS officers or government counsel. This makes the necessity of being candid and truthful even more important.
“We trust that the forthcoming report from the NSIRA will help shine a light on the depth of these issues, and present solutions for moving forward, including addressing the lack of opposing counsel during ex parte hearings. However, the fact remains that the courts have identified instances where it is already clear that federal officers went too far and undermined both the justice system and threatened the rights of Canadians. There must be accountability and repercussions for those actions to ensure they do not occur again,” said McSorley.
Read the full letter to Minister Bill Blair here.
Since you’re here…… we have a small favour to ask. Here at ICLMG, we are working very hard to protect and promote human rights and civil liberties in the context of the so-called “war on terror” in Canada. We do not receive any financial support from any federal, provincial or municipal governments or political parties. You can become our patron on Patreon and get rewards in exchange for your support. You can give as little as $1/month (that’s only $12/year!) and you can unsubscribe at any time. Any donations will go a long way to support our work.You can also make a one-time donation or donate monthly via Paypal by clicking on the button below. On the fence about giving? Check out our Achievements and Gains since we were created in 2002. Thank you for your generosity! |
Our analysis of the COVID Alert app
UPDATE (27/08/2020): Since publishing this analysis, we have followed-up with Health Canada and Canada Digital Services. Information is added below. We are still waiting for some final information from Health Canada and will update the post further when we have received it.
UPDATE (03/09/2020): We have received more clarifications from Health Canada. Update is below.
We’ve seen several people on our social media feeds advocate for downloading the new federal COVID Alert application, based on arguments including the fact our privacy is already violated by Facebook. We don’t believe this should be an argument for using the app: it isn’t because governments have failed to protect our data and privacy while we use Facebook – a very important platform, including for activism – that we should accept other possible privacy violations, especially when the Office of the Privacy Commissioner (OPC) of Canada has published a privacy assessment of the app.
Important links
Short version of the OPC’s assessment: https://www.priv.gc.ca/en/opc-news/news-and-announcements/2020/nr-c_200731/
OPC’s full analysis (it’s not that much longer, we encourage everyone to read it): https://www.priv.gc.ca/en/privacy-topics/health-genetic-and-other-body-information/health-emergencies/rev_covid-app/
Government webpage for the app: https://www.canada.ca/en/public-health/services/diseases/coronavirus-disease-covid-19/covid-alert.html
Government privacy notice on the app: https://www.canada.ca/en/public-health/services/diseases/coronavirus-disease-covid-19/covid-alert/privacy-policy.html
Our analysis
Here is our understanding of the app based on all the info provided in the links above:
- From the Privacy Commissioner’s analysis: “Participating provinces [right now it’s only Ontario] will be required to distribute one-time codes to users of the app who have tested positive, which allows them to share their exposure notification info from the app with other users in a de-identified fashion. Certain individuals at the provincial level will be aware that a person has received a positive test result, but individuals will not have access to the exposure notification information.”
- The app does not track location, does not collect your name or address or contacts in your phone, according to the Privacy Commissioner. The OPC states that strong encryption is used in the creation and sharing of these one-time codes, and most data used by the app will be stored directly on your phone and deleted after 15 days. All data sent and received is de-identified and anonymized, meaning you won’t be able to know who has tested positive or where, and if you test positive, people notified won’t know it’s you or where the contact occurred. The Privacy Commissioner notes that it’s not impossible to re-identify data, but that the risk is very low.
- The Privacy Commissioner is happy with the level of cooperation and transparency of the government, and reviewed the design of the app and how it interacts with federal servers. The code is public (links here), but of course only experts can understand it. The app is not supposed to use any data for purposes other than notifying people they have been in close proximity with someone who tested positive for COVID-19.
- It is not ideal that there was no law or parliamentary process to roll out the app but we are definitely happy the government delayed the roll out until the Privacy Commissioner of Canada finally had a chance to examine it.
- Use of the app is voluntary, which is positive. We were also happily surprised to learn that a study from epidemiologists at Oxford University shows that contact tracing and notification apps could be effective in preventing some spreading even if it’s not used by most people. It could prevent one new infection per one or two persons using the app. In any case, the app is only effective in preventing spreading if used in pair with other preventative measures such as testing, manual COVID-19 contact-tracing, the use of masks, physical distancing and hand washing.
- We are also happy that there will be an evaluation of the effectiveness and privacy impact of the app in the last quarter of 2020, and pleased to see the creation of an advisory council of outside experts to provide advice and guidance to ensure the effectiveness of the app.
- As the Privacy Commissioner has said, it would be important for the government to forbid businesses from requiring customers to show proof that they have the app and that they have not tested positive or have not been in contact with people who are positive, otherwise the voluntary nature of the app goes out the window.
- Health Canada committed to shutting down the app – which will erase the random numbers shared between phones and delete any data stored on the Government of Canada’s servers (unless IP addresses are being retained for a security investigation) – within 30 days after the pandemic is declared over. Even though the pandemic could last a long time, this is an important time limitation.
Some concerns to note
-
- In April, with OpenMedia, BCCLA, CIPPIC and BC FIPA, we put together 7 principles to follow for contact-tracing apps to protect human rights. The new app meets some principles but not all of them: the app is not regulated by a law and didn’t go through a parliamentary process; there is no stated recourse if there is a breach of privacy or other issues or rights violations; and there is no commitment from the government to discontinue the app if its found to be ineffective (or there are privacy issues with it) – only a commitment that they will take the recommendation of the Advisory Council into consideration.
- From the Privacy Commissioner’s analysis: “IP addresses accompany attempts to verify one-time codes to the server. The server retains the user’s IP address for 60 minutes if the one-time code is not valid; this retention is meant to help prevent fraudulent uses of one-time codes [like fake exposure notifications, which the government is transparent about on their webpage]. In addition, system logs will retain users’ IP address every time there is a request made to the server (one-time code verification, diagnosis key upload, etc.) for up to three months in normal conditions. In the event of suspicious activity, the system will retain a user’s IP address for up to two years. In this scenario, the relevant system logs may be shared with law enforcement agencies to facilitate an investigation. These security features present a risk of re-identification because, when combined with other information, IP addresses can be used to identify individuals. But, again, due to the adoption of strong safeguards, we believe the risk of identification is low. The Government of Canada indicated to our Office that access to these logs is restricted to authorized users who are bound by security obligations to protect this information and not to access or use it for nefarious purposes.”
- It would seem that it should not be necessary to keep IPs beyond one hour, just long enough to verify the validity of the codes are being verified. “Suspicious activity” and the type of investigation that could be launched, and for which our IP addresses could be shared with law enforcement, should also be defined. Currently, the government’s privacy assessment states, “IP addresses may be disclosed to law enforcement in the event a malicious actor attempted to gain, or gained, access to the server where they are stored.” However, we lack information about what kind of “suspicious activity” would trigger the longer retention of IP addresses, as well as whether the disclosure of IP addresses to law enforcement is strictly bound to malicious attempts to access servers.
- Furthermore, we maintain even deeper concerns about the need to store for three months the IP addresses of individuals who merely receive keys to verify whether they came in contact with anyone who tested positive, and have not submitted any codes through the app. This seems to us to be unnecessary, but we have reached out to the government for more information. We do note, at least, that IP addresses will be stored on a separate server from the key server, providing one more layer of privacy security.
- UPDATE (27/08/2020): After speaking with Health Canada and Canadian Digital Service officials, some of our concerns have been clarified and/or addressed:
- Regarding the retention period of three months for all IP addresses, we were informed that this time frame was reached after deep deliberation among staff involved both in cybersecurity and in privacy issues. In fact, the original proposal was to possibly keep IP addresses for a longer time period. We were told that the retention of IP addresses over a three-month time frame is to ensure the application is functioning normally and to ensure that activity can be properly tracked in order to monitor for patterns that demonstrate suspicious activity. Officials have also committed to reviewing and potentially reducing this retention period if it becomes clear that a shorter time frame is adequate to ensure the security of the system. This is also explained online here, including the commitment to reviewing the retention period.
- In our conversation, officials also reaffirmed that they are monitoring for suspicious activity that would undermine the security or integrity of the system and users. The activity considered suspicious, and the steps to be taken, are laid out in the Government of Canada Cyber Security Event Management Plan (GC CSEMP), including under what circumstances activity must be reported to either the Canadian Centre for Cyber Security or to law enforcement. More details are found in sections 5.2.3 and 5.2.4 of the GC CSEMP. While we would still prefer to see specific legislation regarding the handling of information related to COVID Alert, this provides clear, written guidelines regarding potential cyber-security incidents.
- We have also re-confirmed that IP addresses are kept on a separate server than that which handles one-time codes and keys. This is positive. However, we agree with the OPC and maintain our concern that IP addresses still presents a risk of re-identification. This is particularly true since the IP server also maintains logs of the activity associated to that IP address. Therefore, when the activity of uploading a one-time code to the application is associated with an IP address, it can be inferred that the owner of that IP address has tested positive for COVID-19. We recognize that important and significant steps have been taken to protect this information, including strict limits on access and strong cybersecurity protections. However, we have also asked whether there has been consideration of further limiting the kind of information stored alongside IP addresses by, for example, not associating a type of activity (such as uploading a one-time code or downloading keys) with an IP address, and solely noting if there was an attempt to upload a fraudulent code from an IP address (or if everything is normal). We will update when we have a response.
- Finally, we were also informed that officials are in the process of putting together documentation to add to the government’s COVID Alert page that would further explain security and privacy measures. This is positive for transparency and accountability, and we will link to it once it has been published.
- UPDATE #2 (03/09/2020): We have received further clarifications and information from Health Canada regarding our concerns:
- They have confirmed that sharing information with law enforcement “would be specifically in the event of a cybersecurity attack on the exposure notification system (e.g. enlisting law enforcement to help respond), rather than situations where law enforcement is looking for some kind of information from CDS/HC to pursue some other investigation.”
- Also confirmed is that any disclosed information – including IP addresses – would be considered “personal information” and they would therefore act in accordance with the Privacy Act and the Charter of Rights and Freedoms.
- Finally, they are open to reducing the amount and kind of information retained on the IP server, but do not have plans to make any changes. There may also be limitations to what can be modified on the AWS system where the IP addresses and logs are stored. While these systems have strong security measures in place, this still leaves room for some privacy concerns. We will look to follow-up again with officials in the coming months to ascertain whether they are open to further minimizing the amount of information retained.
- The cloud services used by the government of Canada are owned and operated by Amazon. There are Amazon servers located in Montreal and this is most likely where data will be stored since it’s a Canadian app. For what it’s worth, many businesses, such as the National Bank of Canada, use those servers as well. The Privacy Commissioner says: “Amazon Web Services were procured through existing Shared Services Canada cloud framework agreement. Our preliminary assessment of this agreement suggests measures are in place to protect the information stored in the server. However, considering the complexity of the agreement and our limited time for review, we reserve the right to further review this agreement as part of the Government of Canada’s broader cloud-first strategy.”
- Finally, the Privacy Commissioner says: “In addition to looking at the design of the app and how it interacts with the federal servers, we reviewed publicly available information about the API [Application Programming Interface, which is a software intermediary that allows two applications to talk to each other] designed by Google and Apple. However, we were not able to review the entire API code, which is not publicly available. A thorough evaluation of the surrounding technical ecosystem in which the app operates is beyond the reach of this review. We are aware of concerns related to this uncertainty about the environment in which the app and API interact.” The Privacy Commissioner’s recommendation: “The Government of Canada should continually monitor and assess the potential risks related to the Google and Apple operating systems in relation to COVID Alert. To maintain the same level of transparency, the Government of Canada should communicate to the public any potential new privacy risk related to that component of the COVID Alert app.”
We hope this will be helpful in informing your decision on whether or not to use the app. We are still discussing our concerns with colleagues within the civil liberties and privacy fields, and are waiting to hear from the OPC and the government on our concerns, and may take additional action at a later date.
Here is some extra information from the government about the app: https://www.canada.ca/en/public-health/services/diseases/coronavirus-disease-covid-19/covid-alert/privacy-policy/assessment.html
PS: We haven’t touched on considerations of the application’s efficiency and necessity as it is outside the scope of our mandate and expertise. We encourage to seek out that information as well to make a completely informed decision whether to use it or not.
Since you’re here…… we have a small favour to ask. Here at ICLMG, we are working very hard to protect and promote human rights and civil liberties in the context of the so-called “war on terror” in Canada. We do not receive any financial support from any federal, provincial or municipal governments or political parties. You can become our patron on Patreon and get rewards in exchange for your support. You can give as little as $1/month (that’s only $12/year!) and you can unsubscribe at any time. Any donations will go a long way to support our work.You can also make a one-time donation or donate monthly via Paypal by clicking on the button below. On the fence about giving? Check out our Achievements and Gains since we were created in 2002. Thank you for your generosity! |