Backgrounder

National security issues highlighted in Commissioner’s 2016-17 Annual Report

OTTAWA, September 21, 2017 - The Office of the Privacy Commissioner of Canada has long emphasized the importance of balancing privacy and security to ensure the rights of otherwise law abiding Canadians are not put at undue risk. For example, these were among the key concerns we raised with respect to C-51, the Anti-Terrorism Act, 2015, and more recently during the federal government’s consultation on Canada’s national security framework.

No one would contest the need to protect the safety of our citizens. Canadians want to be and feel secure, but not at any and all costs to their privacy.

Similarly, everyone can agree that police and national security agencies require adequate tools to fulfill their key role in keeping Canadians safe; and also that these tools need to be adapted to the digital world. However, the powers of police and national security agencies have already been significantly increased—in particular with the passage of Bills C-51 and C-13 (Protecting Canadians from Online Crime Act).

The audit and review and investigative work described in the Privacy Commissioner’s 2016-17 Annual Report to Parliament highlights how these issues remain an ongoing challenge.

Our office’s findings have shown that information sharing by federal government institutions is generally done in a responsible manner. However, our reviews and investigations have identified significant process deficiencies that reinforce the importance of basic privacy protections: Clear safeguards are needed to protect rights and prevent abuse; national security agencies must be subject to effective review; and that any state powers must be justified on the basis of evidence.

Here is summary of some of the OPC’s key work over the past year in the area of national security:

Review of SCISA: Operationalization of the Security of Canada Information Sharing Act

In 2016-17, we undertook the second phase of our review of the operationalization of the Security of Canada Information Sharing Act (SCISA), introduced in January 2015 as part of Bill C-51. It focused on the nature of information exchanges and mechanisms in place to ensure personal information is handled in accordance with legal and policy requirements.

What we found

The vast majority of disclosures met the threshold for information sharing under the Act. However, there were significant procedural deficiencies in the operationalization of the Act.

There was no formal overarching reporting structure in place to capture the exchange of information and record keeping practices varied. Furthermore, not all disclosures or receipts of information under SCISA were recorded. This meant we did not receive complete records and could not properly assess all disclosures.

To date, none of the institutions we reviewed have completed a Privacy Impact Assessment in relation to their activities under SCISA despite a recommendation from our Office to do so.

Conclusion:

Without appropriate recordkeeping and internal controls, the use of SCISA’s information sharing authorities will remain a threat to the privacy of individuals. While SCISA’s preamble underscores the importance of privacy, not all institutions sharing personal information appear to have formally considered the privacy impacts of their information sharing practices under the Act.

Review of CBSA’s Scenario Based Targeting of Travelers – National Security

The purpose of our review was to assess whether the Canada Border Services Agency (CBSA) implemented adequate controls, including policies and procedures, to ensure that personal information handling practices for the national security component of its Scenario Based Targeting of Travelers (SBT) program complied with the Privacy Act and applicable government of Canada polices, directives and guidance.

By law, commercial air carriers must provide the CBSA with detailed information on all travellers to Canada. This includes name, date of birth, citizenship, contact phone numbers, seat number, payment information and more. The CBSA uses this data to identify individuals who are or may be involved with terrorism or terrorism-related crimes or other serious offences that are transnational in nature. The SBT program uses advanced analytics to evaluate the data against a set of conditions or scenarios. Individuals who match a scenario are vetted further and may be subject to closer examination at port of entry.

What we found

The CBSA has implemented policies and procedures to guide the development and refinement of scenarios, the risk assessment process for individuals and the evaluation of scenario effectiveness.

The review raised the concern that some of the national security scenarios used by CBSA are broad and based on personal characteristics which identify a large number of law abiding individuals, whose personal information is used and shared without sufficient privacy protections. Up to 60,000 people a year are flagged for additional scrutiny.

Conclusion:

The Court of Justice of the European Union released an opinion in July. It concluded the Canada-EU agreement on the transfer and processing of passenger data did not meet the legal requirements of necessity and proportionality and that is incompatible with fundamental rights.

The opinion highlights the importance of ensuring that strict limits are set for the retention and use of passenger data and other personal information subsequently collected by the CBSA for the administration of the SBT program, particularly for those individuals who have been assessed as posing no threat to national security.

Review of the RCMP’s Counter-Radicalization to Violence Efforts

Our review inquiries focused on the RCMP’s Terrorism Prevention Program and the activities of the National Security Intervention Team which provides support on national security investigation files related to individuals who have been radicalized to violence but have not met the criminal threshold for charges.

It was prompted following the release of the government’s Green Paper on national security which discussed efforts to combat “radicalization to violence.” While we recognize the value of such efforts, we were concerned that prevention activities in this regard might involve widespread internet monitoring.

What we found

The RCMP confirmed it does not use mass surveillance techniques or technologies in its efforts to detect and prevent national security threats, nor does it employ broad-based internet monitoring or scenario based targeting. Rather, national security investigations aimed at counter-radicalization generally result from information from sources such as family members, the general public or the RCMP’s law enforcement and security partners.

Conclusion:

We are satisfied with the RCMP’s processes in this regard related to counter radicalization and continue to advocate for an approach in which prevention activities and detection efforts are based on credible threats, as determined through reliable intelligence.

Review of CSIS Operational Data Analysis Centre

In the course of exercising warrants issued by the Court against individuals who pose a security threat, CSIS collects the content of communications and their metadata, which refers to information about a communication. A 2016 Federal Court judgement, however, found that CSIS had illegally retained third party, non-threat related metadata. Third party information involves individuals who are not targets of a CSIS investigation, while non-threat-related information is information that does not relate to a “threat to the security of Canada,” as defined in the CSIS Act. CSIS warehouses this data within the Operational Data Analysis Centre (ODAC).

The Federal Court’s decision was clearly an important decision for privacy and for advancing privacy protection. In response, CSIS indicated it would prohibit access to the metadata in question pending its review of the Court’s decision and reached out to our Office to discuss the matter.

Our review focused on the actions taken by CSIS to address the court’s decision regarding the retention of third-party, non-threat related metadata by the ODAC.

What we found

We confirmed historical metadata holdings in the system have been fenced off and are unavailable for use by ODAC analysts until a final decision regarding disposition of the data is made. That being said, we learned the same information resides elsewhere within CSIS as backups and that efforts are being made to ensure all requisite data is disposed of in accordance with the Court’s decision.

We also reviewed the court-imposed rules for assessing third party data and CSIS’s plan to operationalize those rules and found that the plan is in keeping with the court’s decision.

Conclusion:

We note that Bill C-59, tabled in the House of Commons in June, includes provisions for dealing with the collection, retention and use of datasets, which would include metadata, by CSIS. This includes a requirement for specific authorizations from the Minister of Public Safety for the retention of datasets that are not publicly available, a new oversight regime including an Intelligence Commissioner and the Courts, depending on the nature of the datasets in question. While it is too early to tell what will become of the Bill, we are satisfied that CSIS’s plan in the interim appears to be consistent with the court’s ruling.

IMSI Catchers

We investigated a complaint related to the RCMP’s refusal to confirm or deny whether it uses cell site simulators (aka “Stingray” devices or “IMSI catchers”) as part of its surveillance activities.

The complainant was particularly concerned that the RCMP might be using the devices to monitor large groups of people in a given location and that the devices could intercept the content of voice and text communications. The complainant believes the public has a right to know if these technologies are being used, since their use has the potential to subject innocent Canadians to privacy violations without their knowledge or consent.

During our investigation, the RCMP held a technical briefing with media outlets and confirmed it does own and use cell site simulators, which it calls Mobile Device Identifiers (MDIs). The RCMP assured its use of the devices complies with all Canadian laws and that the devices only intercept standardized unique numbers associated with mobile subscribers and their devices and are not capable of intercepting private communications.

While these assertions were consistent with what the RCMP told us during our investigation, we sought to independently verify the technical capabilities of the cell site simulators and additional information regarding the legal authority under which they are operated, and how the RCMP uses, retains, and disposes of the data collected by these devices.

What we found

We learned the devices were deployed in 125 criminal investigations between 2011 and 2016. Judicial authorization was obtained in all but 13 deployments, seven of which involved “exigent circumstances” in which there was reason to believe action was necessary to prevent imminent loss or destruction of evidence, bodily harm or death. In such cases, a warrant is not necessarily required. In the remaining six cases, we learned the RCMP was acting on legal advice that no warrant was required.

Following a demonstration of how the devices are used and an inspection of the devices themselves, we determined these particular ones are not capable of intercepting private communications such as voice communications, email messages, text messages, contact lists, images, encryption keys or basic subscriber information.

Where the RCMP had obtained prior judicial authorization, we found the personal information collected during the MDI deployment was consistent with the Privacy Act, and that the collected information was properly segregated, secured, retained, and ultimately destroyed. Our conclusions are supported by a sample warrant provided to us by the RCMP, in which terms and conditions stipulate that all personal information collected using the MDI device will be protected from any use or disclosure for any purpose unless “ordered otherwise by a court of competent jurisdiction.” We believe these terms and conditions provide an important safeguard for the personal information collected by these devices.

Although we believe the RCMP was operating in good faith based on legal advice, in the six cases where officers did not obtain a warrant and were not presented with exigent circumstances, we determined the collection of personal information was in contravention of the Privacy Act.

Conclusion:

We believe that the RCMP has taken appropriate steps to remedy the situation. It now requires prior judicial authorization for all MDI deployments unless presented with exigent circumstances.

Date modified: