[After returning from extended travels, I delievered the following talk on Wed Oct 22 at the Confernece Centre in downtown Ottawa, as part of the SERENE-RISC cybersecurity conference. After our panel, we were notified that the building was in lockdown because of events unfolding across the Canal. The policy and political conversation will likely focus now on new powers and procedures for security and intelligence agencies. I debated, therefore, whether to post these notes at this time. However, history persuades me that it is better to twin any discussion of state powers with consideration of accountability, or risk violating the law of unintended consequences.]
I’ve entitled my talk, somewhat tongue in cheek, “Does the State Belong in the Computers of the Nation?”
So let me answer. Yes, there are absolutely circumstances where the state should have powers of surveillance – nothing separates communication by electronic device from the sort of important policy concerns that justify carefully controlled and overseen state surveillance. And those policy concerns are compelling. Not least, there are bad people who would do us harm, and anticipating and preempting their conduct is often our best defence. That requires intelligence, and intelligence often depends on surveillance.
But everything hinges on my caveat: “carefully controlled and overseen”. Let me explain: in using these terms, I am talking of what I’ll call Privacy 1.0 – the idea that the best protection of privacy comes from supervising and limiting the data that government can collect in the first place. As an aside: I think we also need more serious conversations about Privacy 2.0 – what the state can do with data already in its possession. But I shall focus today on Privacy 1.0 and control of collection.
And on this issue, for a surprisingly long period of time, the rules governing intercept of computer-based communications have been murky, mostly because of the mismatch between modern electronic communication and laws designed for a different age. This disconnect has created ambiguities that have variously been the source of uncertainty and also of creative state interpretations of exactly what it is they are legally able to do.
To the extent that Parliament has intervened, it has generally done so in a manner seeking clarity at the expense of privacy. However, in the last year the Supreme Court has entirely recrafted the legal landscape in a manner that makes much past practice and past legislative projects irrelevant. Put more concretely, the Court has signaled that “carefully controlled and overseen” still has a place in assessing the legality of state surveillance.
In the next 10 minutes, I want to set out where we’ve come from in this area, where we are now, and suggest where we may be heading. My focus will be mostly, but not exclusively, on national security related surveillance.
Part 1: Where Have We Come From
In the area of security surveillance, privacy law has generally not kept pace with two key developments: first, the considerable overlap between what were once the fairly discrete areas of criminal law investigations, security intelligence investigations and foreign signals intelligence collection; and, second, the technological communications revolution.
A. Privacy and Crime
Let me trace a chronology of law, surveillance and technology in developing this thesis. In 1974, Parliament enacted the Protection of Privacy Act -- now known as Part VI of the Criminal Code. Part VI is the most important of what we call “lawful access” provisions. Part VI makes unauthorized intercept of private communications a crime. In practice, and subject to some limited exceptions, lawful access therefore requires a judicial pre-authorization.
Judicial blessing in advance of interference with a reasonable expectation of privacy has since also become the standard under section 8 of the Canadian Charter of Rights and Freedoms. And the practice for judicial authorizations of all sorts in privacy matters has been “specificity” – that is, warrants are issued for finite purposes against finite targets in finite circumstances and locales.
Part VI was, and is, directed principally at law enforcement – it is the means by which the RCMP, for instance, receives wiretap authorizations.
B. Privacy and Security Intelligence
That said, the key principles undergirding Part VI lawful access – advance authorization by judges with specificity – also became part of the regulatory system for the Canadian Security Intelligence Service, when that body was created in 1984.
There were, however, differences between criminal law surveillance and the security intelligence surveillance conducted by CSIS. (Note that “security intelligence” is a shorthand for a finite list of issues enumerated in the CSIS Act and relating to “threats to the security of Canada”).
For one thing, Part VI authorizations must ultimately be disclosed – both their particulars (to the person surveilled, after expiry of the authorization) and also annual statistics on the number of such measures.
In practice, the annual numbers of CSIS warrants do appear in the CSIS review body’s annual reports. However, the existence of CSIS warrants are not disclosed to their targets, and only come to light in the rare instance where a CSIS investigation morphs into a criminal matter (and is passed on to the police and ultimately results in criminal charges), or even more rarely when a particular CSIS surveillance operation becomes a matter of public controversy.
Canadian law, in other words, places criminal law surveillance and security intelligence surveillance on a different legal footing when it comes to transparency.
C. Privacy and Foreign Intelligence
Then in 2001, after 9/11, the National Defence Act was amended to codify formally the intercept powers of Communications Security Establishment Canada. Of particular note, the new law opened the door to lawful intercept by CSEC of Canadian “private communications” as part of its so-called Mandate A – that is, collecting foreign signals intelligence.
Up until this point, had CSEC intercepted Canadian private communications in performing this function, it would have committed a crime under Part VI of the Criminal Code. After 2001, CSEC was exempted from Part VI so long as the Minister of National Defence authorized any intercept of private communications.
Obviously, the fact that authorization comes from the minister, and not a judge, places CSEC on a fundamentally different footing than the police or CSIS. Moreover, unlike CSIS or Part VI authorizations, CSEC authorizations are more generic permissions, relating to an “activity” or “class of activity” and not to a specific individual or individuals. And in terms of transparency, the CSEC review body tells us how many ministerial authorizations exist, but we know nothing about their content (which rests a closely guarded secret).
These differences in the CSEC lawful access regime likely reflected the perception that CSEC’s eyes were outward looking, focused on foreign signals intelligence that only incidentally and haphazardly swept up domestic communications. Conventional privacy protections could, in these circumstances, be muted.
Much has since been said and debated in the post-Snowden period as to what CSEC does and does not intercept, and how and in what circumstances it captures private communications. I will not rehearse that saga here.
Instead I make my key point: since 1974, the scope of lawful access has gone from: first, police investigating crime and intercepting with specific judicial authorization that then is subsequently disclosed; second, CSIS investigating security intelligence matters and intercepting with specific judicial authorization, that is never disclosed, and; third, CSEC collecting “foreign intelligence” by intercepting private communication (at least incidentally) with more generic authorization, not from a independent judicial officer, but from a member of the political executive, that is never disclosed.
D. Implications of Morphing Mandates and Technological Change
In the result, we have a system of surveillance law designed for a criminal law paradigm, tweaked to deal with security intelligence and essentially abandoned in all material respects for foreign signals intelligence.
This may have been sustainable in a period when the world partitioned neatly into these three categories. However, since 9/11, national security – and specifically anti-terrorism – concerns have become increasingly hybridized criminal/security intelligence/foreign intelligence issues. In actual surveillance practice, it is apparent that the foreign intelligence/security/crime boundary is murky. For instance, there has been some controversy in the past between CSEC and its review body about whether some CSEC activities truly amount to foreign intelligence gathering.
That particular concern seems now to have been resolved. More recently, however, controversy over CSEC’s metadata collection activity reflects a second notable development since the 1970s: how technological change has undermined a privacy regime first constructed for a simpler communications age. By all reasonable accounts, metadata – especially when pooled with Big Data – can be even more revealing of human behaviour than even intercepted communication content. Yet, the government seems regularly to take the view that metadata is not private communication, as a legal matter.
I dispute this particular conclusion in 12,000 words or less in an article that will appear in due course. However, to the extent this position animates inside-government approaches on this issue, it has the effect of making the privacy protections in Part VI irrelevant. Indeed under this reasoning, CSEC doesn’t even need a ministerial authorization for its metadata intercepts.
In the result, we have intercepts of potentially revealing information with no advance judicial or even legally mandatory ministerial oversight, and no formal disclosure requirements of any sort. (One counterargument is that the review bodies serve as the public’s proxies in holding the security services to account. I do not dismiss their significance. In the area of privacy, they are, however, irrelevant. The cardinal principle of privacy protection in Canadian law is advance authorization of invasions of privacy by an independent judicial officer, not after the fact criticisms by an arm’s length wing of executive government.)
Part 2. Recent Developments
So what has happened recently? Well over the last 18 months, the Supreme Court has begun to reclaim lost legal ground, reasserting established rules on search and seizure and underscoring their relevance in the cyber world. Three cases serve as a sort of trilogy in this area – Telus, Vu and most recently (and most importantly) Spencer. (We are expecting a fourth case, Fearon, on searches of smart phones).
For reasons of economy, I focus on Spencer, a decision with which I imagine many of you are familiar. To cut to the chase: Spencer was about internet subscriber data in a police child pornography investigation. The information in question was the name, address and telephone number of the customer associated with an IP address. It was, in other words, the most benign form of data attached to an IP address -- what some have called "postal envelope" information. In a nutshell, the court nevertheless held that the Charter's section 8 protections against unreasonable searches and seizures extend to this subscriber data. If the police want it from a service provider, they need to come a-knocking with a warrant.
The Court was unmoved by the fact that the information was actually in the possession of a third party service provider or that there was a service contract that (at least ambiguously) suggested disclosure was a possibility.
Because of all this, I regard Spencer as one of the most important privacy decisions made by the Supreme Court, bar none.
Part 3 Where are We Going?
Let me provide some thoughts about what all this may mean for the future. First, the Spencer holding has obvious knock on effects in the legislative arena. For one thing, earlier proposals spearheaded by Vic Toews when he was public safety minister permitting warrantless access to subscriber information, are now clearly unconstitutional.
There are also secondary issues with law projects before Parliament now. For instance, Bill C-13 (the so-called cyberbullying bill) has now moved onto the senate. It contains warrant provisions for metadata – called transmission data – albeit ones that requires relatively little of police to obtain. But it also purports to allow law enforcement to continue asking for voluntary disclosure by service providers – something that would almost certainly violate the constitutional rules outlined in Spencer. And it purports to immunize service providers who do disclose in response to such a request.
The question is a novel one, but it is quite plausible that the immunity provision would fail on constitutional grounds if challenged in court. Accordingly, no service provider should ever respond to a state request for subscriber data with anything other than: “please show me your warrant”.
Second, I think there are obvious implications for security surveillance by CSEC. The Supreme Court is prepared to extend section 8 protections to the most benign data -- name and address and telephone number -- associated with an IP address.
It is inconceivable to me that it will now demur when it comes to other, even more intimate forms of metadata created by modern communication -- geolocations, place called, duration of calls, websites surfed etc. While the degree of privacy protection will always depend on circumstances, I think the constitutional die is now cast when it comes to the sorts of metadata most contentious in the post-Snowden debates.
We don't know, of course, what CSEC (and perhaps other agencies) have been in fact collecting under the umbrella of "metadata". Nevertheless, the concept is so broad and Spencer so dramatic, that I assume at least some of what the government has in the past collected is now subject to the full protections of section 8.
And so putting CSEC’s activities on a sounder constitutional footing will require amendments to its governing statute. In this respect, I strongly support the private member’s law project tabled by Joyce Murray -- Bill C-622, now reaching second reading in the Commons. Among other things, this bill would graft a modified judicial warrant regime on CSEC activities. I would encourage those of you with an interest in this area to review this bill, and if you can, support it. When this bill was first tabled before Spencer, I believed it was constitutionally necessary, as well as good policy. Spencer more than affirmed that belief. I confess surprise and disappointment that the government has not moved itself to place CSEC intercept of private communications on a firmer constitutional footing, not least because the BC Civil Liberties Association is suing it over the issue. Regularizing the accountability process around intrusive and secretive surveillance seems an issue that transcends most conventional political boundaries.
Let me conclude, then, by reverting back to the question posed in the title of my presentation: “Does the State Belong in the Computers of the Nation?” My answer was yes, subject to careful control and oversight. The Spencer decision has breathed new life into Privacy Law 1.0, intercept gatekeeping rules. And I think it is important to now ensure that control and oversight by courts become part again of the entire contemporary world of state surveillance.