Balancing Privacy and Law Enforcement Panel

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Archived

This page has been archived on the Web.

Remarks at a Conference entitled "Securing the Cyber Commons: A Global Dialogue", organized by the Canada Centre for Global Security Studies, the Munk School of Global Affairs, the University of Toronto and the SecDev Group

March 28, 2011
Toronto, Ontario

Address by Chantal Bernier
Assistant Privacy Commissioner of Canada

(Check against delivery)

---

Introduction: Privacy ethic in cyberspace

OPC is an advocate for privacy rights and I speak from that perspective.

Privacy is a fundamental and inalienable human right. So too is security of the person.

The challenge is to devise an architecture in which these twin rights do not simply co-exist, but flourish.

The danger is that the pursuit of one – security – will come at the expense of the other – privacy.

Society faces this simultaneous challenge and danger because governments and corporations are accumulating, sharing, matching and comparing egregious amounts of personal information for a host of known – and often unknown – purposes.

They are able to do this because Canadians, like most people around the world, are fascinated by the cyber commons, and also increasing dependent upon it.

It used to be that if it wasn't in writing it didn't count; now, if it is not on a computer it doesn't count.

Some people have argued that there is little expectation of personal privacy in a society where everyone wants to share, everything, all the time, with everyone else.

We live with devices that are always connected, web services that reward continual disclosure, networks that are always open.

Canadians, young and old, may willingly disclose personal information but they react with dismay and outrage when this "sharing" of personal information happens without an individual's knowledge and consent.

Canadians see privacy as exercising control over the disclosure of personal information.

Consider:

• The backlash over Facebook's unilateral dilution of privacy settings;
• Google's introduction of Buzz without consulting Gmail users;
• The continuing unease over access to the naked-body images captured by the new airport security scanners, (now discovered by the TSA in the U.S. to emit 10 times as much radiation as initially announced); and
• The public dismay after a public inquiry headed by Mr. Justice O'Connor found that gross violations of personal privacy precipitated the illegal abuses suffered by Maher Arar.

My conclusion: reports of the death of the privacy ethos among individual Canadians have been greatly exaggerated.

Perhaps because of a mistaken belief that privacy isn't highly valued today some appear to regard it as little more than just one more factor to be taken into account when proposing laws, crafting regulations or calculating business risk.

Privacy is much more than that.

It is a social good, which is a precursor for a panoply of political freedoms.

It is not merely a social expectation of privacy at risk when governments seek to reduce privacy protections in pursuit of security ends.

Instead, there is what Queen's University scholar David Murakami Wood terms the "tacit social contract," under which individuals expect to be free and have their freedoms protected by the state.

"Where that protection starts to remove those freedoms themselves, that tacit contract is challenged," Wood writes.

I noted earlier that privacy is a human right, recognized by the Supreme Court as a quasi-constitutional right enshrined in the Canadian Charter of Rights and Freedoms

But formal recognition as a right stretches back to Universal Declaration of Human Rights in 1948, where Article 12 begins:" No one shall be subjected to arbitrary interference with his privacy."

This provision, like much of the Declaration, was a reaction to the grave human rights abuses carried out by various States during WW II.

For example, a lack of legal restrictions and controls made it very easy for Axis forces to use records they seized in Poland, Belgium, France and elsewhere to quickly seize individuals and assets they wished to target.

Specific panel questions

1. Do we need to give law enforcement and intelligence more powers to police cyberspace? (lawful access bills)

Our Office understands the challenges faced by law enforcement and national security authorities at a time of rapidly changing communications technologies. We have also heard from private sector that public sector is too secretive about cyber attacks and needs to move faster on cyber security.

But let's keep a sense of perspective.

A comprehensive recent study^{Footnote 1} for the OECD concluded that "very few single cyber-related events have the capacity to cause a global shock" and that "it is unlikely that there will ever be a true cyber war."

Or, consider the Guardian database created by the U.S. Department of Homeland Security for state and local authorities, businesses, and private citizens to report suspicious activities to the FBI for analysis.

According to a report in the Washington Post, as of December last year, there were 161,948 suspicious-activity files in the classified database.

Another 7,000-plus were stored in an unclassified section of the database. Of those, 103 led to full-blown investigations, resulting in some five arrests.

Convictions so far? Zero.

As David Loukidelis, B.C.'s former Privacy Commissioner and now the province's Deputy Attorney General has pointed out, programs of this kind often amount to surveillance of the many to find the guilty few.

Nonetheless, the recent security breaches at Treasury Board and Finance demonstrate – at the very least – what might be termed cyber reconnaissance forays.

This is why I want to emphasize that in the context of data protection, the joint objectives of privacy and security are not at odds. Instead, they complement each other.

When we are protecting cyberspace – the information that resides in it and the infrastructure on which it rests – we are protecting people's personal information.

As personal information increasingly resides in cyberspace, privacy protection increasingly relies on cyber security.

Violating people's privacy in the interest of ensuring cyber security would defeat the very purpose of cyber security.

As well, the "tacit social contract" would be broken resulting in plunging citizen trust in government. Result: security measures may be undermined, ignored, circumvented or resisted.

Now, to the particular question posed to the panel.

The OPC believes that the appropriate approach to this issue is a four-stage test which flows from the reasoning of the Supreme Court in the landmark Oakes Charter decision in 1986.

• Is the policy or measure necessary to meet a specific need?
• Is it effective in meeting that need?
• Is the loss of privacy proportional to the need?
• Is there a less privacy-invasive way of achieving the same end?

How does the current lawful access initiative, especially Bill C-52, stack up against this test?

Provincial and territorial privacy commissioners and privacy enforcement officials addressed that question in detail in a letter earlier this month to the deputy minister of public safety, which repeats concerns repeatedly expressed

Bills C-50, C-51 and C-52 (augmented by changes in Bills C-22 and C-29) would substantially diminish the privacy rights of Canadians.

The bills enhance the capacity of the state to conduct surveillance and access private information while reducing the frequency and vigour of judicial scrutiny

They make it easier for the state to subject more individuals to surveillance and scrutiny.

However, despite this prima facia evidence that this initiative infringes on the privacy rights of Canadians, and despite public calls by privacy advocates since 2008, the letter from privacy commissioners noted:

"At no time have Canadian authorities provided the public with any evidence or reasoning to suggest that CSIS or any other Canadian law enforcement agencies have been frustrated in the performance of their duties as a result of shortcomings attributable to current law, TSPs or the manner in which they operate."

And so, the threshold test of whether more powers are necessary has not even been addressed, much less answered.

Proponents of the lawful access initiative have also not yet addressed the other three conceptual tests:

• Are the proposed laws effective in achieving the stated objective?
• Is the privacy intrusion demonstrably proportionate to the purported security benefits?
• Do alternatives exist that could achieve the same ends, with less impact on privacy?

The crux of Bill C-52 would be to compel telecommunications companies to provide a wide range of personal information without a warrant to law enforcement agencies – unlisted numbers, email account data and IP addresses.

This is a significant privacy intrusion and again no evidence has been offered that it would result in any security benefits, much less ones of equivalent significance.

Even if the initiative could be justified at this conceptual level, there remains still the detailed design and implementation of the laws, plus crucial matters such as evaluation, oversight and redress.

The letter from the provincial and territorial privacy commissioners also details major concerns with oversight for C-52, especially the auditing and reporting safeguards.

Our Office has made efforts to help security agencies, policymakers and others in their search for that elusive equilibrium between public security and privacy rights.

Last November, we published a reference guide for policymakers, practitioners and citizens, which is available on our website.

Regrettably, the proponents of Bill C-52 and other parts of the lawful access initiative have not respond publicly to many of the questions raised in that guide.

2. Do states have too much, or not enough, surveillance powers in cyberspace?

The answer depends on what is deemed to be "enough."

There is honest disagreement here on that question over lawful access initiative.

Similarly, disagreement has surfaced in both the United States and the United Kingdom over proposals for respective national eavesdropping agencies to monitor vital private computer networks for potentially damaging cyber attacks.

In the United States, the surveillance monitoring would be coordinated by the National Security Agency under a program called "Perfect Citizen." ^{Footnote 2}

In Britain, a group at the Government Communications Headquarters (GCHQ) would be responsible.^{Footnote 3}

Both programs would look for "unusual" activity on computer networks of privately owned infrastructure such as electricity grids, subways systems, air-traffic-control networks.

Some industry sources have complained that governments could use these programs to spy on private communications, but others have said heightened security against cyber attacks in the private sector is overdue.

While there is debate over the extent of state surveillance powers in Canada, the United States and the United Kingdom, many in the West agree that state cyberspace surveillance powers in countries like China or Iran are "too much."

Many Canadians also have been saying Indian authorities want "too much" power in demanding access to encrypted messages on BlackBerry's corporate e-mail service and also peer-to-peer messaging.

RIM is one of Canada's greatest technological success stories and a key market advantage is its perceived highly secure email service and messaging.

Robert Crowe, RIM's vice-president of industry and government relations, told the Wall Street Journal that these "rather astonishing" demands raised the question of whether the Indian government believes any communications are legally off-limits, including e-mail conversations of foreign ambassadors and financial records transmitted over secure telecommunications networks.

Consider the "universal intercept" provision of Bill C-52. It would require all wireless, Internet and other telecommunications companies to allow for intercept capabilities – now and when they upgrade their software or network infrastructure – and to maintain those capabilities over time.

This applies to all types of telecommunications technology – conventional wire line service, wireless communications, Internet-based communications, satellite communications – and any other technology used in telecommunications, from

Skype and SMS texts to online chats and PIN-to-PIN communications on BlackBerrys.

In effect, security agencies in Canada would be given what the Indian security agency is seeking, a back door into corporate BlackBerry commuication.

In India, RIM has offered a work-around to intelligence and security agencies, according to Crowe.

The metadata available to telecomm operators includes the time any BlackBerry messages were sent, and the corporate e-mail server used.

Crowe says authorities could gain lawful access to that information via a legal order and look for patterns. They could then pursue investigations by going to the corporate entity which owns the server.

This would appear to be an alternative approach that would achieve the same security end with much less intrusion on personal privacy.

Similarly, RIM gave Indian telecomm operators a system to get unscrambled versions of encrypted Messenger chats, after they have a legal order.

So, resorting to warrantless access is not deemed necessary . . . for Indian security authorities.

3. Who will guard the guards themselves?

Quis custodiet ipsos custodies? – Juvenal (Satires)^{Footnote 4}

The threshold issue is the strengthening of data management within agencies through enhanced training and introduction of information verification and challenge functions.

The importance of this needs to be driven home through resourcing to implement relevant Treasury Board directives.

There are three possible levels of oversight processes – internal to departments and agencies, external administrative bodies and parliamentary.

The need

The need for oversight should be self-evident with the exponential increase in collection of personal information across government programs, especially in security organizations.

Both the O'Connor (2006) and Iacobucci (2008) commissions found that inaccurate or misleading intelligence was compiled and inappropriately shared. It was then used to justify the detention, deportation and even torture of certain men.

This cascade of factors was triggered by gross violations of the privacy rights of the individuals involved.

Pprivacy law encompasses both who is allowed to collect personal information, plus who is accountable for protecting that information, ensuring it is accurate and limiting disclosure.

As a result of the secrecy of law enforcement and security bodies, most individuals will not know when personal data is being collected about them.

Individuals cannot meaningfully exercise their rights to acess their information or set the record straight.

Internal oversight

The first line of defense should be strengthening of internal oversight processes.

Our Office has repeatedly recommended creation of executive-level chief privacy officers in all government departments and agencies, starting in 2004, when Public Safety was being established. That proposal was not implemented.

The practice of appointing chief privacy officers exists in the U.S. Department of Homeland Security, and in U.K. departments with Senior Information Risk Officers

External oversight

Public trust requires external oversight, as the Auditor General noted in a March 2009 report on intelligence and information gathering

[Canadians] "need to know that government agencies and departments maintain a balance between protecting the privacy of citizens and ensuring national security. Canadians also need to have confidence that the decisions and activities of intelligence agencies are legal, consistent, and appropriate, and that they are subject to examination by independent review."

Commisioner O'Connor, who headed the Arar inquiry, recommended expanding the powers and mandate of the Commission for Public Complaints against the RCMP (CPC) to mirror the role the Security and Intelligence Committee (SIRC) plays in overseeing the Canadian Security and Intelligence Service (CSIS).

Commissioner O'Connor also recommended extending an independent review and complaints investigation process to encompass the Canada Border Services Agency, Citizenship and Immigration, Transport, the Financial Transactions and Reports Analysis Centre and others.

No action has yet been taken on these recommendations.

Strengthened oversight bodies need to be networked so that they are able to conduct joint investigations and report in tandem.

Parliamentary oversight

Parliamentarians are largely in the dark concerning much of Canada's national security activities, which is where some of the most egregious violations of privacy have occurred.

Other countries – notably the United States, Australia, the United Kingdom and Germany – have provided important symbolic challenge function on national security issues.

The House and Senate committees on Public Safety and National Security could exercise more in-depth review of national security agencies by pooling research and resources and working in tandem.

Role of OPC

The Privacy Act is the cornerstone for the control of government handling of personal information.

Despite the critical importance of the legislation, there has been no significant reform since it took effect in 1983.

Our Office has called for a complete overhaul, but there is no indication this is forthcoming. In the meantime, we have proposed some urgent quick fixes needed to be able to adequately "guard the guards" in the realm of privacy protection need, including:

• a legal "necessity test" requiring government institutions to demonstrate the need for the personal information they collect;
• a requirement for government institutions to carry out and publicly report privacy impact assessments before implementing new programs or procedures;
• expanded review by the Federal Court for violations of the Act and the power to award damages against offending institutions; and
• new provisions governing disclosure of personal information to foreign states.

Our Office supports the idea of mandatory data breach notification in the private sector. A model regime is included in legislation introduced following the first mandated Parliamentary review of PIPEDA. We look forward to those provisions being passed by Parliament.

Meanwhile, anti-spam provisions expected to come into force later this year will reinforce our Office's power to investigate the unauthorized collection of personal information through spyware or electronic address harvesting.

Our Office will also gain explicit authority to share information with other enforcement authorities and collaborate with data-protection agencies elsewhere in Canada and abroad.

Conclusion –Solutions, including an Ethics of Information

A lasting solution to balancing safety and privacy isn't going to be come solely from improved training, stronger oversight or updated legislation, as desirable as these are.

Rather, any solution will require the development of what I'll call an "ethics of information" to guide our institutions in the digital age.

That may sound grandiose, but consider this comment from more than a half century ago:

"Constant changes in technology, particularly as they affect communication, are a crucial factor in determining cultural ideas, shaping social norms and only increase the difficulties of recognizing balance, let alone achieving it."

That was written by the historian and communications scholar Harold Innis, whose name graces the building where yesterday's plenary took place, in his seminal 1951 work The Bias of Communication.

Looking at developments such as social networking, few would deny that there have been astonishing changes in communications in recent years and that these have defined a whole new culture and are reshaping social norms.

Some things are definitely out of balance. Consider this observation about the West from present-day communications scholar Naomi Klein:

"China is becoming more like us in very visible ways (Starbucks, Hooters, cell phones that are cooler than ours), and we are becoming more like China in less visible ways (torture, warrantless wiretapping, indefinite detention, through not nearly on the Chinese scale.)"^{Footnote 5}

No schema exists for an ethics of information, but various elements are starting to come together, much like heavenly bodies coalesce from swirling gases and dust.

For example, U.S. legal scholar Daniel Solove posits that the greatest long-term privacy risk that citizens run is not from the government of today, but from the information collected today, and used by the government of tomorrow (or next year, or next decade).

Information in this context truly is power, the memory of bureaucracies exhaustive, and well-compiled files forget nothing.

Solove writes: "Privacy is not merely a right possessed by individuals, but is a form of freedom built into the social structure. It is thus an issue about the common good as much as it is about individual rights. It is an issue about social architecture, about the relationships that form the structure of our society."

What's needed, therefore, is a better "architecture of power" to regulate government information-gathering by addressing minimization, particularization, and control.

The concepts of minimization and control are obvious. Particularization requires law enforcement officials to exercise care in selecting the individuals who should be investigated.

Another emerging element in the nascent ethics of information might well be the right to be forgotten, or what could be called information amnesia.

European Justice Commissioner Viviane Reding announced earlier this month that rules giving people the right to be forgotten will form part of a proposal for a major strengthening of European privacy legislation.

The rules would place the onus on data controllers to prove they need to keep the collected data and would strengthen individuals' right to have information deleted.

Somewhat related is the idea of allowing people to declare "reputational bankruptcy" if they want to shut down their online presence proposed by Jonathan Zittrain, author of The Future of the Internet ... and how to stop it.

Another planned European change will be what Reding calls "privacy by default."

As Reding noted: "Privacy settings often require considerable operational effort in order to be put in place. Such settings are not a reliable indication of consumers' consent. This needs to be changed."

This could be seen as similar to the "Privacy by Design" approach championed by Ann Cavoukian, Ontario's Information and Privacy Commissioner.

In November 2010, the International Conference of Data Protection and Privacy Commissioners in Jerusalem approved a resolution recognizing the principles of Privacy by Design as an "essential component of fundamental privacy protection."

Privacy by Design enshrines the principle that privacy considerations must be embedded as the default into the design, operation and management of information technologies and systems – across their entire lifecycles and throughout an organization, end-to-end.

A key element of the new ethics might also have to be an about-face in popular culture, away from the current veneration for devices that are always connected, web services that reward continual disclosure, networks that are always open.

For example, people using free public WiFi networks for smart phones and tablets now provide hundreds of easy targets for "side jackers" who can take over their identities with software such as Firesheep.

Some of these easy targets may well be government employees who have sent sensitive documents to their Gmail accounts so they can slip out for a barista coffee and yet keep working.

An unexpected advocate for this point of view is retired Gen. Michael Hayden, the former head of both the U.S. National Security Agency and the CIA.

"In the popular culture, the availability of 10,000 applications for my smart phone is viewed as an unalloyed good. It is not – since each represents a potential vulnerability," Hayden wrote in the spring issue of US Air Force's Strategic Studies Quarterly

Public education must play a pivotal role in the new "ethics of information."

Finally, the new ethics must have a moral compass. Here's one example, from Chris Hedges in Empire of Illusion:

"A culture that does not grasp the vital interplay between morality and power, which mistakes management techniques for wisdom, which fails to understand that the measure of civilization is its compassion, not its speed or ability to consume information, condemns itself."