Response to the Government of Canada's "Lawful Access" Consultations
Submission by the Office of the Privacy Commissioner of Canada to the Minister of Justice and Attorney General of Canada
Protecting the ability of individuals to communicate freely is central to the concept of privacy, "a broad, all-encompassing concept that envelops a whole host of human concerns about various forms of intrusive behavior, including wiretapping, surreptitious physical surveillance, and mail interception." Footnote 1 Sharing intimate thoughts, expressing unpopular opinions, arguing about controversial issues, freely discussing one's finances or health status, and even engaging in gossip are all activities that are fundamental to our private lives.
Individuals expect that fragments of their conversations may be overheard by others; they do not expect that their telephone calls will be monitored, their conversations taped or their computers searched by agents of the state. As Justice LaForest argued in R. v. Wise Footnote 2, commenting on the emerging recognition of a constitutional right to privacy:
"The decisions in Wong and Duarte are predicated on the notion that there exists a crucial distinction between exposing ourselves to the risk that others will see us or overhear our words, and the much more pernicious risk that they will be electronically monitored at the sole discretion of the state. Footnote 3 ... In both instances, it is constitutionally unacceptable that the state should be allowed to rest a justification for the unauthorized electronic surveillance of a given person on the mere fact that that person had been in a situation where he could be the object of scrutiny on the part of private individuals."
Since the introduction of telecommunications technology more than a century ago there has been an ongoing tension between the expectation by individuals that their communications are private and the attempts by law enforcement agencies to monitor these communications for investigative purposes.
Not surprisingly, the courts, both in Canada and in the United States have frequently been called on to resolve this tension. Over time, and in a series of cases, the courts have set limits on the ability of law enforcement agencies to capture or monitor communications and these cases have helped shape and define our understanding of privacy.
The most famous and arguably the most prophetic comment on the monitoring of communications by agents of the state was made by United States Supreme Court Justice Louis Brandeis, arguing in dissent in Olmstead v. United States (1928):
"Subtler and more far-reaching means of invading privacy have become available to the government. Discovery and invention have made it possible for the government, by means far more effective than stretching upon the rack, to obtain disclosure in court of what is whispered in the closet. ... The progress of science in furnishing the government with means of espionage is not likely to stop with wire tapping. Ways may some day be developed by which the government, without removing papers from secret drawers, can reproduce them in court, and by which it will be enabled to expose to a jury the most intimate occurrences of the home." Footnote 4
A generation later, the courts in both Canada and the United States accepted Brandeis's argument that limits were needed on the use of electronic monitoring by the state. Writing for the majority in R. v. Wong, Justice Laforest referred to Brandeis's "prophetic dissent":
"Brandeis J. foresaw that the progress of science in furnishing government with the means of 'espionage' could not be expected to stop with wiretapping. One may speculate, however, that even Brandeis J. could not have envisaged the vertiginous pace at which eavesdropping technology would develop in the latter half of this century." Footnote 5
The legal protection of communications in Canada has developed in an incremental fashion. What is now Part VI of the Criminal Code, prohibiting the willful interception of "private communication", was originally introduced as the Protection of Privacy Act (Statutes of Canada, 1973-74, c.50). In regulating the telecommunications industry, the Canadian Radio-television and Telecommunications Commission (CRTC) is required by the Telecommunications Act "to contribute to the protection of the privacy of persons." The CRTC fulfills this mandate in several ways, for example, by establishing rules with respect to the use and disclosure of customer's personal information. Finally, section 8 of the Charter of Rights and Freedoms — "Everyone has the right to be secure against unreasonable search or seizure" — has helped define the limits on the state's ability to both monitor and seize communications. In R. v. Dyment, the Supreme Court stated that the underlying purpose of section 8 is "to secure the citizen's right to a reasonable expectation of privacy against government encroachments" and confirmed that section 8 is a personal right that protects people and not places. Footnote 6
Our interest in the government's lawful access proposals flows from an understandable concern that the limits and protections that have been established by these laws and legal decisions may be undermined by the proposed measures.
When the 2002 Consultation Paper on Lawful Access was issued by the Department of Justice, Industry Canada and the Solicitor General, our Office, along with several other parties, questioned the need to revise the existing lawful access regime. We pointed out that the departments had failed to demonstrate the existence of a serious problem that needed to be addressed. We urged the three departments to present a clear statement of the problems that law enforcement agencies were encountering along with empirical evidence supporting the need for enhanced surveillance powers proposed in the consultation paper.
This has still not been done. Without a clear understanding of the problems that the proposed legislation is intended to correct it is impossible for our Office or the Canadian public to determine if the measures being proposed are necessary and proportionate.
We have been told that the lawful access regime needs to be updated to keep pace with changing technology, that the legislation being contemplated will simply restore a level playing field in the fight against increasingly sophisticated criminals. We understand that the telecommunications environment has changed: competition has restructured the industry; anonymizing software is available for Internet communications; wireless telephone services can be purchased on a prepaid basis without providing subscriber information; and off-the-shelf encryption tools are readily available. We appreciate that, in certain situations, this has created challenges for law enforcement agencies.
However, law enforcement agencies have also been able to take advantage of new technologies. Key-stroke loggers have been used to capture e-mails as they are being composed and to gain access to passwords; packet sniffers can scan e-mails going through an ISP node for specific words or phrases; many cell phones generate very detailed location data; and the capability exists to analyze huge amounts of communications data for suspicious patterns. On the last point, we have seen an increased interest on the part of law enforcement and government agencies in data aggregation and data mining. On balance, it is not clear that the proposed measures are necessary to ensure that law enforcement and national security agencies can maintain the capabilities and authorities may have had in the past.
We have also been told that one of the reasons legislation is necessary is to allow Canada to meet its commitments under the Council of Europe Convention on Cybercrime, which Canada has signed, but not ratified. We are aware that cybercrime — phishing, denial of service attacks, Internet fraud, malicious spyware, etc. — is a serious and growing international problem and that identity theft and related crimes are also on the rise. The Convention is about more than fighting cyber-crime; one of the main purposes of the Convention is to facilitate information-sharing among law enforcement agencies in the participating countries.
If the intrusive measures being proposed cannot be justified on their own merits in the Canadian context, they should not be introduced simply to allow Canadian law enforcement agencies to monitor communications and share this personal information under an agreement that does not require the establishment of an appropriate privacy framework that will ensure that the information being shared is adequately protected by the participating countries.
The final comment we want to make before discussing the specific issues raised in the consultation documents relates to the Personal Information Protection and Electronic Documents Act (PIPEDA). The passage of PIPEDA was a landmark event in the evolution of privacy protection in Canada. While not perfect, PIPEDA reflected a growing awareness of the importance of protecting personal information. In establishing ground rules for the collection, use and disclosure of personal information by the private sector the Act also placed important limits on the ability of government agencies to obtain information from the private sector.
Since PIPEDA was passed, a series of Acts have gradually whittled away these limits, dangerously blurring the distinction between the public and private sectors and, in effect, deputizing the business community. First the Proceeds of Crime (Money Laundering ) and Terrorist Financing Act was amended to require financial institutions and other organizations to disclose personal information to the Financial Transactions Reports Analysis Centre of Canada; then Bill C-44 amended the Aeronautics Act to allow Canadian air carriers to disclose passenger information to the customs and immigration authorities of foreign states; and last year the Public Safety Act further amended PIPEDA. The Public Safety Act allows the Minister of Transport, the RCMP and CSIS to require air carriers and operators of aviation reservation systems to provide them with information about the passengers and crew of airlines and other modes of commercial transport. As well, it amended PIPEDA to allow organizations to collect personal information, without consent, for the purposes of disclosing this information to government, law enforcement and national security agencies. This incremental weakening of PIPEDA is troubling and will only be exacerbated by lawful access measures that press TSPs into service in support of law enforcement activities.
Comments on Specific Lawful Access Proposals
The comments that follow are based on the six sets of slides that we were given by Justice and the other departments and agencies with whom we met. We have organized our comments based on what we consider to be the most important issues raised by the consultation documents.
1. Compelling Interception Capability
The government is proposing that all wireless, wireline and Internet and other telecommunications service providers (TSPs) be required to maintain existing intercept capabilities, and to build in intercept capability as they make upgrades to their networks. As well, TSPs would be subject to other obligations, for example they would be required to remove any compression, encryption or other treatment of intercepted information that the TSP applies. A TSP would not be required to remove encryption or other treatment applied by the sender. As well, they would be required to provide information upon request to law enforcement officials relating to their telecom facilities and services, either generally or specific to a named person.
Small TSPs, TSPs who provide telecom services ancillary to their core functions as educational institutions or hotels, and TSPs who do not provide telecom services to the public would be partially exempt from these requirements.
We only have a few comments to make about this component. Although the requirement to maintain existing interception capability and build in this capability during future upgrades seems relatively benign, this may lead to more interceptions than would otherwise be the case. As well, as Justice Cory noted in R. v. Wise, concerning the installation of a beeper on a suspect's car, one cannot distinguish between the technology and the use of the technology:
"... it seems artificial to distinguish between the installation of the beeper and the subsequent monitoring. The monitoring is the extension of the installation. It is the aim and object of the installation and cannot be divided from the latter. The installation of the device and its subsequent use to monitor the vehicle, together, constituted the unreasonable search." Footnote 7
This requirement must not be interpreted in such a way that TSPs would be obligated or expected to produce any reports, track usage patterns or otherwise collect or generate any information that they would not otherwise collect or generate for normal business purposes. Nor should this provision force TSPs to adopt location technology in advance of business needs. The requirement to provide capability should be limited to meeting specific technical specifications related to interception capability. Finally, we would expect that the provision of any customer specific information would be subject to the safeguards discussed in the next section.
2. Access to Subscriber Data — Warrantless Searches
The government is proposing that law enforcement agencies be empowered to require TSPs to provide certain subscriber data (name, telephone number, address, e-mail address, IP address) upon request, without any judicial authorization. The request would have to be made by a person "designated" by the RCMP Commissioner, the Director of CSIS or the chief of a police service.
Unless required by law, the TSP would be prevented from disclosing that the request was made, the information provided, or any other information regarding the request.
In the 2002 consultation paper, the government raised the possibility of a national subscriber information database, "know your customer" obligations, and the mandatory collection of specified subscriber information. We are pleased that the government has decided not to proceed with these initiatives.
The consultation proposes that safeguards will be put in place: requests must be specific to individual users to avoid large scale fishing expeditions; and records must be kept regarding all requests. These records will have to list the purpose of the request, the relevant law and specific file or investigation under which the request was made, and the name of the person making the request. These records will be available for audit by existing oversight bodies such as our Office, the courts, the Commission for public complaints against the RCMP and the Security Intelligence Review Committee.
The proposed safeguards and the decision to forgo a national subscriber database are positive steps. Still, this is a troubling proposal. At present, under the Personal Information Protection and Electronic Documents Act (PIPEDA), TSPs can refuse such requests unless accompanied by judicial authorization. Pursuant to paragraph 7(3)(c.1), an organization may disclose personal information to a government institution or law enforcement agency for the purpose of enforcing a law or conducting an investigation. However, this is a discretionary authority — the law enforcement agency cannot compel production without a warrant or a court order. If implemented, this proposal would make such warrantless disclosures mandatory.
As well, the proposal goes far beyond simply disclosing the name and address associated with a particular telephone number or the name of someone's service provider. For example, this would require a TSP to provide a subscriber's dynamic IP address when a law enforcement agency provided a subscriber's name and a date and time, or a law enforcement agency could obtain a subscriber's name and Internet subscriber service identifier based on a subscriber's address. Many people use pseudonyms on the Internet in order to engage in anonymous communications and for a variety of other reasons. Footnote 8
Requiring an ISP to identify a subscriber based on a pseudonym raises the problem identified by Justice von Finckenstein in BMG et al v. John Doe et al of assuming that the subscriber is the person using a given pseudonym. Footnote 9 Von Finckenstein concluded that it would be irresponsible for the Court to order disclosure of the name of an account holder given the uncertainty that exists about the link between the identity of an account holder and an anonymous user as well as the link between the user of an account and a given dynamic IP address.
Given the significance of this proposal we do not think that the proposed safeguards are adequate. While we support the requirement that the authority to demand subscriber data be limited to specific designated individuals we would go further and suggest that each request should be accompanied by a specific justification. In addition, the designated individuals in any given police force or agency should be limited in number, and they should be officers with supervisory responsibilities.
The consultation documents state that records will be maintained of all requests, but it is not clear who will be responsible for these records. Both TSPs and law enforcement agencies should be required to maintain records of such requests. This would ensure that two separate audit trails exist. The reason for this is simple. Under section 37 of the Privacy Act, our Office can conduct a compliance review of a government department or agency at any time at the discretion of the Commissioner. Under section 18 of PIPEDA we require "reasonable grounds to believe" that an organization is contravening the Act before we can conduct an audit. Similarly, some provincial commissioner would have the authority to audit a provincial or municipal police force but not a federally-regulated TSP.
This authority to demand subscriber information should be used with care: TSPs should not disclose the requested information unless the law enforcement agency has satisfied the appropriate safeguards; and TSPs should only disclose the minimum information needed to satisfy the specific request. This will help ensure that the use of this authority is circumscribed to the extent possible.
3. Preservation Orders
Preservation orders are designed to protect volatile evidence relevant to a specific investigation or proceeding — evidence that might be destroyed or erased while a search warrant or production order (see below) is being sought. A preservation order is a do not delete/do not destroy order — it is sometimes referred to as the "quick freeze" approach.
The government is proposing two types of preservation orders:
- Interim preservation orders that will not require judicial authorization. They do, however, require "reasonable grounds to suspect that a person has possession or control of documents or data that will assist in the investigation of an offence..." They can last up to 15 days. They are intended to be used as a stop gap measure while a production order or a longer preservation order is being sought — see below. The proposed safeguards include requiring a law enforcement officer to give written notice to the TSP allowing the TSP to object or make other representations regarding the terms of the preservation order; and
- Longer term preservation orders, which can last up to 90 days, require judicial authorization. The proposed safeguards include a requirement for judicial authorization based on a "reasonable grounds to suspect" threshold and a process for TSP to object.
Used with discretion and appropriate oversight, preservation orders are preferable to retention orders that would require TSPs to save communications data for a period of months or even years as has been proposed or implemented in some countries. In addition to the safeguards discussed above, we would recommend additional safeguards or clarification as follows:
- The preservation orders should be clearly targetted to a specific telephone number, IP address, communication device, etc. — the net should be as narrow as possible;
- TSPs should only be required to preserve data they have; they should not be expected or required to create, restructure or organize data;
- In the case of an interim order, the law enforcement agency should be required to state the purpose for which it wants the data preserved;
- Interim preservation orders should be the exception rather than the rule — they should be limited to exigent circumstances. In some cases there is little or no risk that the data will be destroyed. For example, telcos keep long distance records for months for billing purposes — this would not be a situation where a preservation order was necessary or appropriate. Such orders should only be used where there is a clear risk that data necessary for an investigation will be destroyed or erased while a judicially authorized preservation order or production order is being sought;
- Orders should be as short as possible — 90 days should be the maximum not the norm for judicially authorized orders;
- Both TSPs and Law enforcement agencies should keep detailed records of all preservation orders they receive or issue; and
- The government should also consider limiting the application of preservation orders to investigations involving more serious offences. The Ontario Information and Privacy Commissioner suggests that production orders should be limited to investigations in respect of the offences listed in section 183 of the Criminal Code. This is a long list of offences that includes everything from high treason to bribery, all the assault and robbery offences, to customs offences. Generally, these are offences that carry sentences of 5 years or more. We think that this should also apply to preservation orders.
4. Production Orders
A production order is somewhat akin to a search warrant with the significant difference that the organization on which it is served is required to produce the information as opposed to law enforcement agencies entering the premises to obtain the information.
The Competition Act contains a production order provision as does the Criminal Code as a result of the passage of An Act to amend the Criminal Code (capital markets fraud and evidence-gathering) in 2004. Under the Criminal Code, general production orders can be issued if a judge is satisfied that there are "reasonable grounds to believe that an offence ... has been or will be committed". A specific production order for financial or commercial information (for example, bank account information) can be issued under the lower threshold of "reasonable grounds to suspect".
Two new production orders are being proposed, both on the lower "reasonable grounds to suspect" threshold, as a means to obtain
- Tracking data: "information that would assist in determining the location of a person or thing at a particular time" (for example, debit card usage; cell phone usage); and
- Transmission data: "data relating to telecommunications functions of dialling, routing, addressing or signalling that identifies or purports to identify the origin, type, direction, date, time, duration, size, destination or termination of a telecommunication... ."
In terms of safeguards, the government has suggested that judicial authorization be required under a "reasonable grounds to suspect" threshold; that transmission data be limited to the explicitly listed types of data and not include message content; and that a production order for tracking data must require that only tracking data be provided.
The first point we would like to make about production orders is that they are a relatively new tool. They have only been part of the Criminal Code for a few months. We have been told that they are physically less intrusive than a search by law enforcement officials. This may be true, but in other ways they may be more intrusive. For example, they may sweep up far more personal information. While a search warrant is typically limited to a single location, a production order can require the production of information in scattered locations, including locations in other jurisdictions. In the case of a production order served on a TSP it may capture more information since the TSP will be familiar with its systems and networks and it may be more effective in terms of identifying all the relevant information. As well, production orders exemplify the concerns we expressed above about private sector organizations acting as agents of the state. For these reasons we recommend that the government should proceed with care with respect to the use of production orders.
The government should also proceed cautiously because the information involved — transmission data or tracking data — can be very sensitive. In the case of transmission data, the traditional distinction between relatively innocuous transmission data and more sensitive content is not always clear or valid. In the old analogue telephone world the distinction was meaningful, but this world has disappeared. The digits we punch into a modern telephone do not just connect us to another party, they can also reveal our financial transactions, PIN numbers and passwords, or even health information and we have only begun to tap the possibilities of modern digital networks. Internet traffic data, by pointing to the sites we visit, the chat rooms we participate in, and the information being searched, can reveal even more personal information.
To their credit, Justice Canada officials appear to accept the need to develop a new model. In principle, we agree with the notion of doing away with this content/traffic distinction and using an expectation of privacy approach akin to that used in R. v. Plant that looks at the question of whether personal in information is "core biographical information." However, it is not clear to us how this new model will be applied or what this will mean in practice.
We also want to comment briefly on location data. When the Supreme Court addressed the use of a tracking beeper in R v. Wise, the court stated that the installation of the beeper on a vehicle violated his section 8 rights under the Charter but the evidence was not excluded. A number of reasons were cited for not excluding the evidence, including, the device was inaccurate and unsophisticated; it was attached to the vehicle not the individual; the admission of evidence would not bring administration of justice into disrepute; and the beeper assisted visual surveillance — it did not replace it.
In dissent, LaForest dissent asked, "... in this era of explosive technology, can it be long before a device is developed that will be able to track our every movement for indefinite periods even without visual surveillance?" Footnote 10 The answer to LaForest's question is now obvious. We now have GPS enabled cell phones and other devices that can track a person without visual surveillance. These devices are neither inaccurate nor unsophisticated and they will only become more ubiquitous and more precise. Industry is now testing technologies that will make it possible to create surveillance grids based on a combination of locational and communications data.
We recommend that the use of production orders should be limited to the offences listed in section 183 of the Criminal Code as discussed above with respect to preservation orders.
A second safeguard would be to require that production orders be based on the higher reasonable grounds to believe threshold, as opposed to a reasonable grounds to suspect test.
One of the most important issues raised in the consultation documents is how to deal with e-mails. The consultation documents raise the question of whether e-mails should be intercepted or seized and whether the answer should vary depending on the point where the e-mail is captured. The legal requirements for intercepting a private communication (Part VI — sections 185 and 186) are more onerous than the requirements to seize documents or records. The latter requirements are set out in Part XV of the Criminal Code — section 487. Part VI authorizations are only available for section 183 offences; they require that other investigative techniques have been tried and failed and the judge has to be satisfied that it is "in the best interests of the administration of justice" to issue the authorization.
The question is complex, and important, because an e-mail can be captured at many different points. The consultation documents set out eight possible points of capture, beginning with the input of the e-mail by the sender and ending at the point when the message is under the control of the recipient.
The consultation documents appear to acknowledge that gaining access to an e-mail when it is being composed, transmitted, or received would qualify as an interception. The government seems to be suggesting, however, that acquiring or capturing e-mails when they are stored at the sender's or the recipient's ISP or when they are under the control of the recipient could be considered a seizure.
In our view the expectation of privacy should attach to the act of communicating, not the means of communicating. There are inherent problems in tying protection to technology rather than communication — to do so virtually guarantees that these provisions will be redundant as technology advances. Instead we should protect communication.
Clearly, large numbers of people have decided that they would rather communicate by e-mail rather than letter or telephone. Their ability to communicate with a high expectation of privacy should not depend on the form of communication they choose.
We are not convinced by the suggestion that capturing e-mails when they are temporarily stored at the sender's or the recipient's ISP deserves a lower standard of protection. Temporary storage should not be a consideration. If the same reasoning was applied to letter mail, a letter temporarily residing in a post office would be treated differently than a letter in a moving truck or in letter carrier's mail bag. Nor are we persuaded that by the argument that an e-mail should not be considered a private communication just because it may be technically easier to intercept an e-mail than a telephone call.
We believe that capturing an e-mail should be treated as an interception, with all the protections this affords, until at least the point when the e-mail has been opened by the recipient.
6. New and Revised Offences
The government is proposing to revise some existing Criminal Code offences:
- Section 342.2 deals with the possession of hacking tools to commit an offence. The government is proposing to extend this to cover importing, obtaining for use, and making available such devices and to criminalize the possession of a virus for the purpose of mischief;
- Section 191 makes it an offence to possess interception devices. The government believes this has to be refined to allow for a lawful excuse or justification as in found in section 342.2; and
- The government is proposing to extend section 372 that deals with harassing or indecent letters or telephone calls to cover other means of communication such as e-mails.
We do not have any concerns with these proposed measures in terms of their impact on the protection of personal information. On the contrary, we support the proposed change to section
372. Harassing telephone calls and calls that are intended to alarm or frighten individuals are a deeply disturbing invasion of privacy. Extending this offence to cover other forms of communication is consistent with our general view that the law should apply to the act of communicating not the form of communication and, more importantly, this would enhance the protection of privacy.
The lawful access measures being proposed are far reaching. They go beyond simply ensuring that law enforcement agencies will be able to maintain existing monitoring and interception capabilities. If the measures being proposed are implemented law enforcement agencies will have powers they did not have in the past — most notably the authority to serve preservation orders and the ability to compel the production of customer information without a warrant. More generally, law enforcement officials will have more tools at their disposal to combat both emerging cybercrimes and more traditional offences.
The measures being proposed are equally, or perhaps even more significant because of the increased importance of communications in today's world. Communications technologies play a much larger role in our lives than they did in the past. Less than a generation ago there were only two readily available ways to communicate — by wireline telephone and by letter. Now we can communicate using wireless telephones, e-mails, text messages and personal digital assistants, to list only the most obvious alternatives. More than half of all Canadian households have a cell phone and Internet access. More people are communicating more often using more devices than ever before. Canadians send more than 2.7 million text messages a day. Many of these new forms of communications leave data trails that can survive long after we have forgotten all about the content of the message.
Law enforcement agencies will not only have a greater ability to obtain communications data there is also much more data available and, as discussed above, they now have far more sophisticated means of analyzing this data. This combination could result in law enforcement agencies being able to gain access to far more information about our personal lives than they have in the past.
We remain sceptical about the need for these potentially intrusive and far-reaching measures. The question of necessity is critical; without knowing more about the rationale for these proposed measures we cannot assess if they are proportionate.
We are aware that the initiative to reform Canada's lawful access regime predates the September 11 2001 attacks. Nonetheless, we find it difficult not to draw parallels between the measures being proposed and the Anti-terrorism Act. As we have stated in our submission to the Senate Special Committee on the Anti-terrorism Act, the legislation gave overly broad surveillance powers to security and intelligence and law enforcement agencies while unduly weakening the constraints on the use of those powers and reducing accountability and transparency. In both cases, the question that we have to ask as part of our mandate is whether the gain in security justifies the sacrifice of privacy and other rights.
The Anti-terrorism Act was passed in haste without sufficient regard to the question of necessity and adequate consideration of whether the measures were proportionate to the threat. We would urge the government to learn from this experience. The government should only move forward with these proposals if it can demonstrate they are necessary and, if this test can be met, the government must institute appropriate safeguards to limit the scope and application of the proposed measures and ensure timely and effective oversight.
- Date modified: