I went to a panel entitled Overdue Update or Big Brother? Lawful Access and Cyber Surveillance at U of T’s Faculty of Law yesterday. It was moderated by Graeme Norton, director of the Canadian Civil Liberties Association’s Public Safety Project. The panel included David Murakami-Wood, a member of the New Transparency project (and the only non-lawyer), Lisa Austin from the Faculty of Law and Robert Hubbard, counsel with the Crown Law Office – Criminal of the Ministry of the Attorney General of Ontario.
The idea behind the panel was to explore the implications of two bills, C-46 and C-47 for the preservation of Canadians’ privacy, and of their potential for broad infringement of our rights and liberties. The bills are ostensibly aimed at “modernizing” current the “lawful access” regime, which enables the state to access electronic communications data. While investigative powers are claimed to be central to the “rapidly evolving methods of crime”, there is the everpresent threat of abuse. As one audience member put it, you can’t rely on the “good men and women” of the state or its appointees. The law has to protect all interests, and seek a balance where these compete.
Norton gave an overview of “lawful access legislation” and its “modernization,” which has been on the state’s agenda since 2002. This has been the subject of some consultation (it was unclear how much or how broad) around updating the legal regime that deals with accessing the telecommunications of Canadians. The claim is that current rules are frustrating police investigations; proponents of Bills C-46 and C47 say proposed changes are mere “modernization” to keep pace with changes in technology. I am always suspicious of this disclaimer: it’s only technology, stupid. Where technology is used as an excuse for greater social control, I think we need to be extremely sceptical.
Opponents see the proposed legislation as an advance toward privacy invasion. At the least, the title of Bill C-46, Investigative Powers for the 21st Century, suggests an overbroad jurisdiction. C-46 would require telcos to preserve and provide customer information on a standard of reasonable suspicion. This data could be obtained under two different types of judicial orders: a warrant (when the data is acquired in real-time), or a production order for historical data. Transmission data is who sent an email to whom and tracking data is the location of a specific technology at a particular time. Finally, C-46 it would give a new authority to activate tracking devices in customers’ technologies, such as cell phones.
According to the Department of Justice: “The amendments would create a preservation order that would require a telecommunication service provider (TSP) to safeguard and not delete its data related to a specific communication or a subscriber when police believe the data will assist in an investigation. A preservation order is a “quick-freeze”, temporary order, and would only be in effect for as long as it takes law enforcement to return with a search warrant or production order to obtain the data.”
A tracking order would “allow police to remotely activate existing tracking devices that are found in certain types of technologies (such as cell phones and tracking devices in some cars) and would also continue to permit the police to install a separate device that would allow for tracking. A new provision would also be added to allow peace and public officers to obtain the tracking information through a production order.”
The Canadian Internet Policy and Public Interest Clinic (CIPPIC) is concerned that the standard required for the production, preservation and tracking orders “will not meet the typical ‘reasonable and probable grounds’ level. Even though the production order would not allow access to the content of private communications, dates, times, and header information on e-mail messages has the potential create a detailed picture of an individual’s social network, online activities, and personal interests. The generation of such profiles ought only be allowed in the case where there are reasonable and probable grounds that the individual has committed a crime, and should therefore be granted by judicial authorization to that standard.”
Bill C-47, titled Technical Assistance for Law Enforcement in the 21st Century Act, “will not provide law enforcement or CSIS with any new interception powers, nor will it change or expand existing interception authorities in any way. Rather, it will address the challenges posed by modern technologies that did not exist when the legal framework for interception was designed nearly 40 years ago. Police forces and CSIS will continue to require warrants for interception,” according to Public Safety Canada.
Bill C-47 has two components: Intercept and Subscriber Information. The Intercept component requires companies to upgrade their infrastructure to ensure they have capacity to monitor, capture, preserve information. The Subscriber Information component requires telcos to provide—without a court order—basic identifiers such as name, address, telephone number and Internet Protocol (IP) address, e-mail address, service provider identification and certain cell phone identifiers to police forces and CSIS in a “timely fashion.” Law enforcement would have to be authorized, the request would have to be made in writing, and it is all subject to internal audits and discretionary audits by the Privacy Commissioner.
Jennifer Stoddart, Canada’s Privacy Commissioner, has already weighed in with her concerns, noting that “Canada has a legal regime governing the use of surveillance that protects individual rights while also giving authorities access to communications when authorized. This framework has been carefully refined over decades by Parliament and the courts. To date, the federal government has presented no compelling evidence that new powers are needed.”
She further states that right balance between individual privacy and the legitimate needs of the authorities might be struck by “obliging the government to demonstrate that the expanded surveillance powers they contain are essential and that each of the new investigative powers is justified,” and “exploring the alternative that, should these powers be granted, they be limited to dealing with specific, serious crimes and life-threatening emergencies.”
David Murakami-Wood, Canada Research Chair and associate professor of Surveillance Studies at Queen’s University, took a broad perspective, and focused on the ethical and social implications of this new legislation. He also linked Canada’s efforts at the “modernization” of its lawful access regime to an international trend to expand the definition of lawful access as well as the definition of data—who owns it and who controls its flow? He argued that decisions made in Canada on such matters will have a ripple affect as other nations struggle to tame the wilds of cyberspace.
Robert Hubbard saw nothing particularly troubling with the proposed legislation. “Generally generally speaking [it is] no different than any other criminal legislation that involves a breach of expectation of privacy. The protection there by requiring judge to sign on to it. It is a species of warrant.” Hubbard said that in the criminal law context, it is “very consistent with laws there now that involve breach of privacy. Canada is about 10 to15 years behind in intrusion into privacy.”
The audience did not care much for Hubbard’s cavalier disregard for the potential threat this privacy invasion poses for democratic society and he took most of the heat during the Q & A. He was non-plussed, however, and repeated his central point, which was that the new powers would still require authorization by a judge, which he felt was a sufficient check.
Lisa Austin, who also works with U of T’s Privacy Project gave the lie to the assumption that a lawful access regime was mainly about balancing privacy against other interests, such as those of law enforcement. “We’re talking about a Charter right – not just an interest.”
Austin explained that certain criteria must be met for justifying the exercise of police authority—criteria that are constrained by notions of rule of law and accountability. She pointed out that the Privacy Commissioner has identified a lack of justification for privacy intrusion outlined in C-46 and C-47. “No systematic case has been made for need to circumvent current regime,” she noted, wondering further exactly how current provisions failed to meet the investigative needs of law enforcement.
Austin was concerned about what she called an infrastructure of surveillance being built into the communication systems, especially the internet. With this legislation, she said, “there is nothing you can do on the net that the police can’t identify.” Emerging case law, she added, seems to support warrantless access to people’s information: “there is no reasonable expectation of privacy.”