The Book

 

 

 

 

This blog comments on Canadian (and occasionally comparative) national security law to update my National Security Law textbook and now also my 2015 book, False Security: The Radicalization of Anti-terrorism, co-authored with Kent Roach.

Please also see www.antiterrorlaw.ca for Bill C-51-related analyses by Craig Forcese and Kent Roach.

For narrated lectures on various topics in national security law, please visit my 2017 "national security nutshell" series, available through iTunes.

Please also visit my archive of "secret law" in the security area.

By Craig Forcese

Full Professor
Faculty of Law

Email: cforcese[at]uottawa.ca

Twitter: @cforcese

 

Subscribe to National Security Law Blog
National Security Law Blog Search

Best Law School/
Law Professor Blog Award

 

Most Recent Blog Postings
Thursday
Oct232014

Does the State Belong in the Computers of the Nation? Legal Developments in Cybersurveillance

[After returning from extended travels, I delievered the following talk on Wed Oct 22 at the Confernece Centre in downtown Ottawa, as part of the SERENE-RISC cybersecurity conference.  After our panel, we were notified that the building was in lockdown because of events unfolding across the Canal.  The policy and political conversation will likely focus now on new powers and procedures for security and intelligence agencies.  I debated, therefore, whether to post these notes at this time.  However, history persuades me that it is better to twin any discussion of state powers with consideration of accountability, or risk violating the law of unintended consequences.] 

Pre-Recorded Screencast

 

Does the State Belong in the Computers of the Nation? from Craig Forcese on Vimeo.

 

Speaking Notes

I’ve entitled my talk, somewhat tongue in cheek, “Does the State Belong in the Computers of the Nation?”

So let me answer.  Yes, there are absolutely circumstances where the state should have powers of surveillance – nothing separates communication by electronic device from the sort of important policy concerns that justify carefully controlled and overseen state surveillance.  And those policy concerns are compelling.  Not least, there are bad people who would do us harm, and anticipating and preempting their conduct is often our best defence.  That requires intelligence, and intelligence often depends on surveillance.

But everything hinges on my caveat: “carefully controlled and overseen”.  Let me explain: in using these terms, I am talking of what I’ll call Privacy 1.0 – the idea that the best protection of privacy comes from supervising and limiting the data that government can collect in the first place.  As an aside: I think we also need more serious conversations about Privacy 2.0 – what the state can do with data already in its possession.  But I shall focus today on Privacy 1.0 and control of collection.

And on this issue, for a surprisingly long period of time, the rules governing intercept of computer-based communications have been murky, mostly because of the mismatch between modern electronic communication and laws designed for a different age.  This disconnect has created ambiguities that have variously been the source of uncertainty and also of creative state interpretations of exactly what it is they are legally able to do.

To the extent that Parliament has intervened, it has generally done so in a manner seeking clarity at the expense of privacy.  However, in the last year the Supreme Court has entirely recrafted the legal landscape in a manner that makes much past practice and past legislative projects irrelevant.  Put more concretely, the Court has signaled that “carefully controlled and overseen” still has a place in assessing the legality of state surveillance.

In the next 10 minutes, I want to set out where we’ve come from in this area, where we are now, and suggest where we may be heading.  My focus will be mostly, but not exclusively, on national security related surveillance.

Part 1: Where Have We Come From

In the area of security surveillance, privacy law has generally not kept pace with two key developments: first, the considerable overlap between what were once the fairly discrete areas of criminal law investigations, security intelligence investigations and foreign signals intelligence collection; and, second, the technological communications revolution. 

A.  Privacy and Crime

Let me trace a chronology of law, surveillance and technology in developing this thesis.  In 1974, Parliament enacted the Protection of Privacy Act -- now known as Part VI of the Criminal Code. Part VI is the most important of what we call “lawful access” provisions.  Part VI makes unauthorized intercept of private communications a crime.  In practice, and subject to some limited exceptions, lawful access therefore requires a judicial pre-authorization.

Judicial blessing in advance of interference with a reasonable expectation of privacy has since also become the standard under section 8 of the Canadian Charter of Rights and Freedoms.  And the practice for judicial authorizations of all sorts in privacy matters has been “specificity” – that is, warrants are issued for finite purposes against finite targets in finite circumstances and locales.

Part VI was, and is, directed principally at law enforcement – it is the means by which the RCMP, for instance, receives wiretap authorizations.

B.  Privacy and Security Intelligence

That said, the key principles undergirding Part VI lawful access – advance authorization by judges with specificity – also became part of the regulatory system for the Canadian Security Intelligence Service, when that body was created in 1984.

There were, however, differences between criminal law surveillance and the security intelligence surveillance conducted by CSIS. (Note that “security intelligence” is a shorthand for a finite list of issues enumerated in the CSIS Act and relating to “threats to the security of Canada”). 

For one thing, Part VI authorizations must ultimately be disclosed – both their particulars (to the person surveilled, after expiry of the authorization) and also annual statistics on the number of such measures. 

In practice, the annual numbers of CSIS warrants do appear in the CSIS review body’s annual reports.  However, the existence of CSIS warrants are not disclosed to their targets, and only come to light in the rare instance where a CSIS investigation morphs into a criminal matter (and is passed on to the police and ultimately results in criminal charges), or even more rarely when a particular CSIS surveillance operation becomes a matter of public controversy.

Canadian law, in other words, places criminal law surveillance and security intelligence surveillance on a different legal footing when it comes to transparency.

C.  Privacy and Foreign Intelligence

Then in 2001, after 9/11, the National Defence Act was amended to codify formally the intercept powers of Communications Security Establishment Canada.  Of particular note, the new law opened the door to lawful intercept by CSEC of Canadian “private communications” as part of its so-called Mandate A – that is, collecting foreign signals intelligence. 

Up until this point, had CSEC intercepted Canadian private communications in performing this function, it would have committed a crime under Part VI of the Criminal Code.  After 2001, CSEC was exempted from Part VI so long as the Minister of National Defence authorized any intercept of private communications. 

Obviously, the fact that authorization comes from the minister, and not a judge, places CSEC on a fundamentally different footing than the police or CSIS.  Moreover, unlike CSIS or Part VI authorizations, CSEC authorizations are more generic permissions, relating to an “activity” or “class of activity” and not to a specific individual or individuals. And in terms of transparency, the CSEC review body tells us how many ministerial authorizations exist, but we know nothing about their content (which rests a closely guarded secret).

These differences in the CSEC lawful access regime likely reflected the perception that CSEC’s eyes were outward looking, focused on foreign signals intelligence that only incidentally and haphazardly swept up domestic communications.  Conventional privacy protections could, in these circumstances, be muted.

Much has since been said and debated in the post-Snowden period as to what CSEC does and does not intercept, and how and in what circumstances it captures private communications.  I will not rehearse that saga here.

Instead I make my key point: since 1974, the scope of lawful access has gone from: first, police investigating crime and intercepting with specific judicial authorization that then is subsequently disclosed; second, CSIS investigating security intelligence matters and intercepting with specific judicial authorization, that is never disclosed, and; third, CSEC collecting “foreign intelligence” by intercepting private communication (at least incidentally) with more generic authorization, not from a independent judicial officer, but from a member of the political executive, that is never disclosed.

 

D. Implications of Morphing Mandates and Technological Change

In the result, we have a system of surveillance law designed for a criminal law paradigm, tweaked to deal with security intelligence and essentially abandoned in all material respects for foreign signals intelligence. 

This may have been sustainable in a period when the world partitioned neatly into these three categories.  However, since 9/11, national security – and specifically anti-terrorism – concerns have become increasingly hybridized criminal/security intelligence/foreign intelligence issues.   In actual surveillance practice, it is apparent that the foreign intelligence/security/crime boundary is murky.  For instance, there has been some controversy in the past between CSEC and its review body about whether some CSEC activities truly amount to foreign intelligence gathering. 

That particular concern seems now to have been resolved. More recently, however, controversy over CSEC’s metadata collection activity reflects a second notable development since the 1970s: how technological change has undermined a privacy regime first constructed for a simpler communications age. By all reasonable accounts, metadata – especially when pooled with Big Data – can be even more revealing of human behaviour than even intercepted communication content.  Yet, the government seems regularly to take the view that metadata is not private communication, as a legal matter. 

I dispute this particular conclusion in 12,000 words or less in an article that will appear in due course.  However, to the extent this position animates inside-government approaches on this issue, it has the effect of making the privacy protections in Part VI irrelevant.  Indeed under this reasoning, CSEC doesn’t even need a ministerial authorization for its metadata intercepts.

In the result, we have intercepts of potentially revealing information with no advance judicial or even legally mandatory ministerial oversight, and no formal disclosure requirements of any sort.  (One counterargument is that the review bodies serve as the public’s proxies in holding the security services to account.  I do not dismiss their significance.  In the area of privacy, they are, however, irrelevant.  The cardinal principle of privacy protection in Canadian law is advance authorization of invasions of privacy by an independent judicial officer, not after the fact criticisms by an arm’s length wing of executive government.)

 

Part 2. Recent Developments

So what has happened recently? Well over the last 18 months, the Supreme Court has begun to reclaim lost legal ground, reasserting established rules on search and seizure and underscoring their relevance in the cyber world.  Three cases serve as a sort of trilogy in this area – Telus, Vu and most recently (and most importantly) Spencer.  (We are expecting a fourth case, Fearon, on searches of smart phones).

For reasons of economy, I focus on Spencer, a decision with which I imagine many of you are familiar.  To cut to the chase: Spencer was about internet subscriber data in a police child pornography investigation.  The information in question was the name, address and telephone number of the customer associated with an IP address.  It was, in other words, the most benign form of data attached to an IP address -- what some have called "postal envelope" information. In a nutshell, the court nevertheless held that the Charter's section 8 protections against unreasonable searches and seizures extend to this subscriber data.  If the police want it from a service provider, they need to come a-knocking with a warrant.

The Court was unmoved by the fact that the information was actually in the possession of a third party service provider or that there was a service contract that (at least ambiguously) suggested disclosure was a possibility. 

Because of all this, I regard Spencer as one of the most important privacy decisions made by the Supreme Court, bar none.

 

Part 3  Where are We Going?

Let me provide some thoughts about what all this may mean for the future.  First, the Spencer holding has obvious knock on effects in the legislative arena.  For one thing, earlier proposals spearheaded by Vic Toews when he was public safety minister permitting warrantless access to subscriber information, are now clearly unconstitutional. 

There are also secondary issues with law projects before Parliament now.  For instance, Bill C-13 (the so-called cyberbullying bill) has now moved onto the senate.  It contains warrant provisions for metadata – called transmission data – albeit ones that requires relatively little of police to obtain.  But it also purports to allow law enforcement to continue asking for voluntary disclosure by service providers – something that would almost certainly violate the constitutional rules outlined in Spencer.  And it purports to immunize service providers who do disclose in response to such a request.

The question is a novel one, but it is quite plausible that the immunity provision would fail on constitutional grounds if challenged in court.  Accordingly, no service provider should ever respond to a state request for subscriber data with anything other than: “please show me your warrant”.

Second, I think there are obvious implications for security surveillance by CSEC.  The Supreme Court is prepared to extend section 8 protections to the most benign data -- name and address and telephone number -- associated with an IP address. 

It is inconceivable to me that it will now demur when it comes to other, even more intimate forms of metadata created by modern communication -- geolocations, place called, duration of calls, websites surfed etc.  While the degree of privacy protection will always depend on circumstances, I think the constitutional die is now cast when it comes to the sorts of metadata most contentious in the post-Snowden debates.

We don't know, of course, what CSEC (and perhaps other agencies) have been in fact collecting under the umbrella of "metadata".  Nevertheless, the concept is so broad and Spencer so dramatic, that I assume at least some of what the government has in the past collected is now subject to the full protections of section 8. 

And so putting CSEC’s activities on a sounder constitutional footing will require amendments to its governing statute.  In this respect, I strongly support the private member’s law project tabled by Joyce Murray  -- Bill C-622, now reaching second reading in the Commons.  Among other things, this bill would graft a modified judicial warrant regime on CSEC activities.  I would encourage those of you with an interest in this area to review this bill, and if you can, support it.  When this bill was first tabled before Spencer, I believed it was constitutionally necessary, as well as good policy.  Spencer more than affirmed that belief.  I confess surprise and disappointment that the government has not moved itself to place CSEC intercept of private communications on a firmer constitutional footing, not least because the BC Civil Liberties Association is suing it over the issue.  Regularizing the accountability process around intrusive and secretive surveillance seems an issue that transcends most conventional political boundaries.

Let me conclude, then, by reverting back to the question posed in the title of my presentation: “Does the State Belong in the Computers of the Nation?”  My answer was yes, subject to careful control and oversight.  The Spencer decision has breathed new life into Privacy Law 1.0, intercept gatekeeping rules.  And I think it is important to now ensure that control and oversight by courts become part again of the entire contemporary world of state surveillance.

Tuesday
Jun242014

Rogers Communications, Call Logs, & Warrantless Disclosures 

Citizens Lab has released a tool encouraging consumers to determine what information telecom providers are collecting on them (and possibly sharing with police and security services).  See Access Your Information (AIM).  They have also posted a template request letter.

In May, I used this template to file an information request with Rogers Communication, my cellphone provider.  I attach the substantive portions of the response, with my own personal information redacted (of course).  A couple of things are noteworthy:

  • Neither conform nor deny actual sharing with police or security services: In response to my request to disclose whether any of my call information had been shared with authorities, Rogers simply invokes compliance with PIPEDA.  In National Security Law, I describe the way PIPEDA works as follows:

...the PIPEDA contains several exceptions limiting disclosure of information to the individual to whom it relates. For instance, the organization may decline access to information where granting access to that individual could reasonably be expected to threaten the life or security of another individual.  Most notably, an individual whose personal information has been disclosed to the government by an organization regulated by that Act may be denied access to the information disclosed, or even knowledge of the disclosure, on national security grounds [or the defence of Canada or the conduct of international affairs or where related to enforcing the law of Canada, investigating money laundering or terrorist financing]. Where an organization regulated by the PIPEDA receives a request from an individual for personal information relating to [the organization's government disclosures in these matters], the organization must notify the government. The government must then, within thirty days, communicate to the organization any objection it would have to compliance with the individual’s request, on [the above noted grounds]. If the government does object, the organization must reject the individual’s request, decline to disclose the information in question to the individual, and notify the privacy commissioner.

Under the PIPEDA, I am not supposed to be told about any request made to, or any response from, the government.  However, I mailed my request on May 26 and received a response in a letter posted June 19.  If Rogers had supplied my information to the government, it would have needed to wait either 30 days or until the government reacted to my request (whichever came first).  The space of time between May 26 and June 19 is not 30 days.  So either Rogers and the government were remarkably efficient in denying my request, or my request simply did not trigger the above-noted process because my information hasn't been disclosed to the government.

I must say, I certainly hope the government isn't investigating me on any of the bases above, if only because I know that resources are so limited.  (That said, a government MP rationalized government scrutiny of public protests by observing this month that "law-abiding citizens can suddenly create a crime". So maybe in the world of surveillance we should all be considered provisional suspects. How about #EveryCanadianAPotentialCriminal as a Twitter slogan?)

(Incidentally, the turn-around time on my request is better than the response rate on any Access to Information request I have made.  So Rogers deserves acknowledgement for taking its legal obligations seriously.  The government might benefit from a similar ethos.)

  • Court Orders Required for Incoming Calls:  I was struck by the statement in the letter that Rogers does not provide "records of incoming calls without a court order".  I assume that this means they do not provide such records to me without court order, given the context in which I asked the question (that is, for my call logs).  If the reference was to supplying call logs to the government, I don't see any reason to distinguish between incoming and outgoing calls -- both raise the same privacy issues. We know from press reports that some information may have been provided to government by at least some telecommunications companies without court orders.  That practice has presumably now been superseded by the Spencer decision and its construal of the PIPEDA.  (It would be a very unwise telecommunications company who will now give out any call log or even basic subscriber data without asking police or security services for their warrant -- you don't want to be the telecommunication company that finds itself a named defendant in the novel class action suit claiming Charter s.24 damages for acting as the government's proxy in a Charter s.8 violation.)
  • Text messages aren't stored but metadata can be retrieved: I don't text because I think it's weird, but for those who do (and for those who email), Rogers says they "do not store the content".  If they did, the SCC decision in Telus suggests that the police should only get this content with a Criminal Code Part VI warrant.  In its letter, Rogers suggests it can recreate metadata associated with the message (date, time and recipient).  But in the wake of Spencer, disclosure of this metadata too most likely needs to be preceded by a warrant. 
  • Miscellaneous Information: The "additional information" I request on the second page is about 20 pages of coded transactions that appear to be mostly account and service plan information and occasional notes generated when I sought technical help.  The period of time spanned by these entries is 6 years and 2 months (which is considerably less time than I have been a Rogers customer, and so may reflect how long they keep readily accessible data).
Tuesday
Jun172014

Why Spencer Changes the Playing Field for CSEC & National Security Spying

By this point, most readers will be familiar with the Supreme Court of Canada's June 13 judgment in R. v. Spencer.  On twitter, I call this decision Hunter v. Southam for the digital age.  It is potentially that revolutionary.  The internet is aflood with excellent analyses of the decision from a privacy law perspective and somewhat less than excellent spin from the government side (see, e.g., Minister MacKay's comments on Spencer, and Bill C-13 in the House today). 

Here, I will simply canvass what I see to be the implications of Spencer for the simmering dispute over interception of metadata by Communications Security Establishment Canada (CSEC).

Basic Holding in Spencer

Spencer was about internet subscriber data in a police child pornography investigation.  The information in question was the name, address and telephone number of the customer associated with an IP address.  It was, in other words, the most benign form of data attached to an IP address -- what some have called "postal envelope" information.

In a nutshell, the court nevertheless held that the Charter's section 8 protections against unreasonable searches and seizures extends to this subscriber data.  If the police want it from an service provider, they need to come a-knocking with a warrant. In key passages, the Court wrote:

...the identity of a person linked to their use of the Internet must be recognized as giving rise to a privacy interest beyond that inherent in the person’s name, address and telephone number found in the subscriber information. ... [S]ubscriber information, by tending to link particular kinds of information to identifiable individuals, may implicate privacy interests relating not simply to the person’s name or address but to his or her identity as the source, possessor or user of that information.... [T]he police request to link a given IP address to subscriber information was in effect a request to link a specific person (or a limited number of persons in the case of shared Internet services) to specific online activities. This sort of request engages the anonymity aspect of the informational privacy interest by attempting to link the suspect with anonymously undertaken online activities, activities which have been recognized by the Court in other circumstances as engaging significant privacy interests

The Court was unmoved by the fact that the information was in the possession of a third party service provider or that there was a service contract that (ambiguously) suggested disclosure was a possibility.  Nor did it read the Personal Information Protection and Electronics Documents Act as somehow vitiating the reasonable expectation of privacy. 

In the result, at issue was a warrantless search not falling within the compass of permissible exceptions to the warrant requirement.

Implications for CSEC

The decision affirms the views I expressed in my draft article on CSEC and constitutional search and seizure rules (and requires me to shorten and make even more emphatic parts of this article prior to publication).  But it goes much further than I thought likely in entrenching constitutional protection for the penumbra of data that surrounds communication.  The Supreme Court is prepared to extend section 8 protections to the most benign data -- name and address and telephone number -- associated with an IP address and which everyone appreciates a telecommunication company collects for billing purposes. 

It is inconceivable to me that it will now demur when it comes to other, even more intimate forms of metadata created by modern communication -- geolocations, place called, duration of calls, websites surfed etc.  While the reasonable expectation of privacy will always depend on the totality of circumstances, I think the constitutional die is now cast when it comes to the sorts of metadata most contentious in the post-Snowden debates.

We don't know, of course, what the government has been in fact collecting under the umbrella of "metadata".  Nevertheless, the concept is so broad and Spencer so dramatic, that I assume at least some of what the government has in the past collected in the apparent belief that it does not attract a reasonable expectation of privacy is now subject to the full protections of section 8. 

As I discuss in my paper, I do not believe that it matters in the CSEC context that CSEC may be collecting Canadian origin information under its "Mandate A" incidentally, or for a national security purpose.  Neither of those concerns is a conventional justification for warrantless searches, nor does either necessitate a judge-free intercept system for any practical purpose. 

In this last respect, there is no technical reason why a judge couldn't be tasked with the approval process currently conducted by the minister as part of the ministerial authorization of private communication interceptions.  And that authorization could easily be broadened to cover authorizations for all intercepts that trigger section 8, not just "private communication".  (As I argue in my paper, I think the latter reaches metadata, but there is not one-for-one overlap in all instances between private communications and section 8's requirements.)

The Lawsuits

Putting CSEC on a constitutional footing will require amendments to the National Defence Act

More generally, after Justice Blanchard and Justice Mosley's decisions in relation to CSIS extraterritorial surveillance, after Spencer, after Snowden, it is abundantly clear that Canadian national security surveillance law needs legislative renovation. Our national security surveillance laws give every impression of now being a patchwork of untenable theories whose persistence depends almost entirely on them not getting in front of a court.  And the era of none of this being fodder for courts is now at an end.

In a world of good faith action by rationally motivated decision-makers, the government would go back the legislative drawing board and preempt the lawsuits brought by BCCLA and CCLA, discussed in a prior post.  

No one can doubt we need effective security services, and no one can doubt they need to be clothed in definite and workable laws.  It is possible to square the circle on constitutionality and national security in the surveillance area.  Inaction now just creates more uncertainty.  Litigation will narrow the field of action for the government, and create ground rules that are the product of the adversarial process, not premeditated design. 

I am not inclined to polemics (although perhaps readers would disagree).  But if the government doubles-down now, it is because of simple inertia and a lack of policy imagination.  Or it is because it has consciously decided that there is more political virtue in obstinacy than in proactively crafting a workable national security intercept regimen.  Either reason would be an indictment.