IPC Submission to Minister of Justice and Attorney General of Canada on 2005 "Lawful Access" Consultations

Summary  A review and commentary on the "Lawful Access" consultations which took place in 2005. The comments and recommendations relate to three broad themes: 1) the call for a Privacy and Security Taskforce; 2) the sensitivity of the personal information involved
Keywords  Surveillance, taskforce, search, seizure, interception
Published Date  Apr 21, 2005
IPC Submission to Minister of Justice and Attorney General of Canada on 2005 "Lawful Access" Consultations


April 21, 2005


The Honourable Irwin Cotler
Minister of Justice and Attorney General of Canada
House of Commons,
284 Wellington Street
Ottawa, Ontario K1A OA6

Dear Minister:

RE: The 2005 “Lawful Access” Consultations

Commissioner Ann Cavoukian has asked me to write you in response to the federal government’s 2005 “Lawful Access” proposals. The Ontario Information and Privacy Commissioner’s mandate includes commenting on developments that affect the personal privacy of Ontarians. The current proposals clearly do. Accordingly, we welcome the opportunity to join other Canadian Privacy Commissioners and Ombuds Officers in this critical public consultation.

First, please accept our thanks for having your staff and multi-department project team attend at our office. The presentations and subsequent discussions were very helpful. What follows is our response to six power point slide decks and the oral presentation provided on March 7, 2005 (Combating cyber-crime: the context, March 2005; E-mails: Considerations for Criminal Law Policy, March 2005; Lawful Access Proposals: Proposals with Respect to Compelling Interception Capability and Access to Subscriber Information, March 2005; Lawful Access: Legal Review, February-March 2005; and Lawful Access – Amendments to the Competition Act, March 2005). (More recently, we received and reviewed Transmission Data: Considerations for Criminal Law Policy, February 2005.) Should the consultations produce legislative action, we may, of course, provide further comment at that time.

It is apparent that, since Commissioner Cavoukian wrote the Minister of Justice on December 10 th, 2002, the “Lawful Access” proposals have evolved. For example, it appears that the government’s intention is to limit the surveillance of live communications including in transit e-mail consistent with Part VI of the Criminal Code of Canada. This is welcome news. We also applaud the government’s decision not to create databanks on subscribers or their day-to-day use of the new technologies. No such databanks should be countenanced. And we encourage you to press forward with the proposal to treat surreptitious video surveillance as a means of “last resort”.

At the same time, we believe that critical elements of the current plans appear to misconceive how Canadians interact with the new communications technologies and significantly underestimate the sensitivity of the personal information involved. The concomitant risks to privacy and other fundamental rights are significant. While we continue to support the vital law enforcement interest in pursuing electronic evidence and intelligence about serious wrongdoing, we also urge the government to ensure that any search and seizure of personal communications be subject to the most rigorous oversight.

Our comments and recommendations relate to three broad themes: 1) the call for a Privacy and Security Taskforce; 2) the sensitivity of the personal information involved; and 3) the oversight necessary to counter the risks of broader surveillance and access powers.

1. The Call for a Privacy and Security Taskforce

Rapid technological changes are transforming the means, volume, and nature of our private communications and private activities. We no longer need leave our own homes to shop, study, bank, socialize, or consult. As we participate in this transformation, new information structures arise and a new economy grows. However, in participating, Canadians have not surrendered their rights to privacy. Indeed, as reactions to recent information security breaches suggest, Canadians and the companies that service our electronic relationships are becoming increasingly concerned about confidentiality and the protection of personal privacy.

Like the traditional storefront economy, the new web-based economy is dependent on establishing and maintaining trust. Routine government surveillance is as capable of undermining that trust as poor corporate security. Nor is trust enhanced by transforming companies doing online business into virtual agents of the state. And yet, since 2002, federal legislation has been passed that encourages or even requires such entities to engage in surreptitious evidence gathering.

In focusing on intrusive new powers, there is a risk that we endanger proactive innovation. By facilitating surveillance and access, we may even inadvertently make our communications systems more vulnerable to illegal access. Canadians have been leaders in developing new technologies. In our view, Canadians are possessed of untapped ingenuity and enterprise with respect to developing measures to enhance security, safety, and privacy.

Accordingly, we urge the Government of Canada to publicly commit to cooperation with universities, the private sector, non-governmental organizations, and other Canadians in investing in educational, technological, and privacy enhancing preventative measures to combat identity theft and other cyber-facilitated wrongdoing. Privacy and security would both benefit from a coordinated effort to enhance the national and international standards in foundation documents, authentication procedures, encryption technologies, user control, and software design. A Privacy and Security Taskforce dedicated to facilitating such work should be struck.

Legislative reform should not precede such an undertaking. As a founding member of the Privacy Enhancing Technologies Testing and Evaluation Project, our office would be pleased to provide whatever assistance we can.

2. The Sensitivity of the Personal Information Involved

Until recently, real-time electronic eavesdropping on private communications has arguably been the most intrusive form of surveillance. Innocent individuals who make or receive a call through a wiretapped telephone line or who enter a “bugged” room are vulnerable to being swept up in a criminal investigation or an intelligence file. A person’s intimate relationships and private exchanges may be noted, recorded, and subject to further investigation. In recognizing these serious risks to privacy, Parliament’s response has been to insist on both stringent judicial oversight and annual reporting on police use of this highly intrusive form of surveillance.

In contrast, the 2005 “Lawful Access” proposals would allow the state to collect extensive electronic information and intelligence about individuals without comparable safeguards. At the outset of the 21 st Century, the everyday use of new digital technologies routinely generates a highly revealing record of personal information as Canadians go about their day to day lives. It is not necessary to “listen in” live to electronic communications in order to capture an in depth data-rich composite of our private and personal activities, movements, intentions, relations, and associations. Access to data stored by telecommunication companies, ISP’s, banks, other businesses and institutions, and at home can reveal that personal profile at any time of the day or night.

Indeed, the private content of our live telephone communications may be dwarfed by the private content in the digital trail or traffic data created every time each of us sends an e-mail, surfs the Internet, uses a bank card or simply carries a cell phone or text messaging device. While not all of this data is currently stored for any great length of time, much of it will be increasingly subject to ready storage and instant analysis as technological capacities increase and technological costs decrease.

Accordingly, it is our view that any state access to the personal information associated with private electronic communications including communication content, traffic data, as well as location data, must be subject to rigorous independent oversight.

3. The Oversight Necessary to Counter the Risks of Broader Surveillance and Access Powers

A) The Role of Judicial Authorization and the Threshold for a Warrant

Recently enacted and newly proposed “production” orders allow the state to access corporate held databases. Because “production” orders are directed in whole or part to the capturing of private electronic communication data, they are comparably as intrusive of privacy as old style telephone wiretaps. As indicated above, a week’s worth of such data may expose the interactions of families, friends, acquaintances, and associates. And because such orders are served on third parties, the people directly impacted may never learn of such violations of their privacy. Alternatively, they may be surprised to discover the consequences of someone’s earlier decision to treat them as “guilty by association”. Travel plans may be derailed, jobs may be denied, and persons may be detained or deported. Where the information is shared with the law enforcement and national security authorities of other countries, the person may even be subject to extra-legal rendition. While police must not be denied the power to pursue electronic evidence of serious wrongdoing, Canadians’ interest in privacy must not be discarded upon a mere suspicion that someone has committed a minor offence.

In our view, it is essential that more stringent conditions precedent be enacted in relation to state access to this information. Production orders in respect of personal electronic communication should be confined to investigations in respect of the list of serious offences in section 183 of the Criminal Code. Before issuing such orders, a high court judge ought to be satisfied that:

  • there are reasonable and probable grounds to believe that an offence under section 183 of the Criminal Code has been or is being committed,

  • other less intrusive investigative methods are likely to prove impracticable,

  • measures will be taken to safeguard the privacy of the personal information obtained, particularly of non-suspects, and

  • the intrusion is otherwise in the best interests of the administration of justice.

The government also proposes to create a new set of powers that police could invoke to require data managers to locate and hold personal information in documents or databanks. The proposals argue that these “preservation” order powers are necessary to support the production order powers discussed above. In our view, any power to issue a “preservation” order, including the proposal that police officers be effectively empowered to “knock on the door” and order data managers to freeze data, should be confined to the same list of serious offences in section 183.

The 2005 proposals would also provide law enforcement with a broad power to contact Internet and telecommunication service providers and compel them to disclose personal “subscriber information”, in some cases within 30 minutes of the demand. At a minimum, we urge you to ensure that any such power is confined to clear and defined statutory grounds. Moreover, in addition to requiring that peace officers document their use of this power, they should also be required to provide service providers with explicit written justification for each demand before access to the identifying layers associated with the personal “subscriber information” is granted.

Finally, all those whose personal information is obtained under a surveillance and access regime should be entitled to notification at the appropriate time. And, in accord with recommendations that follow, state use of these powers and access to this personal information should be superintended and reviewed by an independent agency.

B) The Role of an Independent Surveillance and Access Review Agency

The proposal states that the supervision provided by prior judicial authorization and complaint-driven oversight under the Charter, the Privacy Act, and the RCMP Act provide sufficient safeguards for the protection of our fundamental rights and freedoms. We are of the view that these protections, while critical, are fundamentally insufficient in this context.

The proposed warrant applications will involve complex, highly technical, and sensitive information. Moreover, warrant applications are necessarily held in camera and ex parte. Innocent individuals subject to surreptitious invasions of their privacy may never be in a position to file for let alone find redress. Any in depth public scrutiny of such matters is the exception to a general rule of secrecy.

Furthermore, under your proposal, local, provincial, and federal law enforcement agencies would be empowered to use these intrusive powers in pursuit of both domestic and international investigations. The current reporting practices of provincial and federal Attorneys General vary considerably despite longstanding wiretap reporting requirements mandated under the Criminal Code of Canada. Without a focused harmonizing and coordinating authority, inconsistent policies and practices are likely to develop among the various jurisdictions. Privacy rights and civil liberties will suffer from fragmented and inconsistent protections

In order to safeguard our fundamental freedoms and human rights, we believe it is critical that Parliament and the public learn of the ongoing and cumulative impact of personal electronic communication surveillance and access.

Accordingly, we call for the creation of an independent, arm’s-length Surveillance and Access Review Agency (SARA) mandated to supervise access to this highly sensitive personal information and report annually to Parliament on the propriety of the operations of the regime. The Commissioner of such an agency should be an independent Officer of Parliament nominated by an all-party committee of the House of Commons and appointed by the Governor-in-Council with sufficient security of tenure to ensure independence and sufficient powers and resources to carry out the mandate of the Office and ensure the desired transparency and accountability.

There is precedent for such an agency. In Switzerland, the federal agency, le Services des tâches spéciales oversees all electronic and mail surveillance and access activities at both the federal and canton level. A Canadian Surveillance and Access Review Agency (SARA) would superintend each intercept, surveillance and production warrant granted in respect of private electronic communications. Like the Swiss model, SARA could perform a screening function, ensuring all conditions precedent are fulfilled before an application for a judicial warrant is made. Where all of the conditions were not fulfilled, the omission would have to be rectified before the warrant application could be filed. SARA should be organized such that applications to be made on an exigent basis could be dealt with expeditiously.

The Agency could also screen all police preservation and subscriber information requests, as well as vet any electronic communications custodian decisions to voluntarily disclose any personal electronic communication data to the authorities. (Electronic communication custodians would include telecommunications, banking, and web-based companies, as well as any institution, organization, or corporation that routinely handles communication data.) Voluntary disclosures would first be transmitted to SARA which would then be empowered to determine whether or not they disclosed evidence warranting disclosure to law enforcement. Under exigent circumstances, police would be able to issue a preservation order or make a subscriber information request directly to a communication custodian. However, both the police and the custodian should be required to report to SARA immediately thereafter.

Bearing in mind the need to protect the integrity of any ongoing investigations, SARA would ensure the appropriate notification of any individuals whose privacy has been impacted by surveillance or production warrants, preservation or subscriber information requests, or voluntary disclosures. Contemporaneously, the authorities would be required to attest to the destruction of personal information in respect of innocent parties. Similarly, a uthorities who had received information in error or under a faulty application would report to SARA and attest to the destruction of the information.

Critically, SARA’s role in superintending all warrants, requests, and disclosures would allow it to study and report on all aspects of the operation of a personal electronic communication surveillance and access regime including:

  • the number of warrants and requests sought, granted, and delivered in relation to both Canadian and foreign investigations;

  • any concerns about the sufficiency of the case for access, the over-breadth of materials disclosed, or the mishandling of personal information by either law enforcement or electronic communication custodians; and

  • an analysis of the offences investigated, the patterns and numbers of innocent and suspected individuals targeted, and the outcomes of the investigations.

SARA might also commission studies on the privacy impact of new communications technologies and personal information handling practices. In any case, SARA would issue an annual detailed public report directly to Parliament. It would also be required to alert the relevant Attorneys General whenever it had a reasonable basis to believe that law enforcement officials or communication custodians had misapplied the surveillance and access powers so as to warrant discipline, sanction, criminal prosecution, and/or policy changes. And SARA would report annually on the government’s handling of any such alerts.

Conclusion

In our view, neither the current law, nor the latest proposals provide sufficiently robust or dynamic privacy protections. And as new technologies appear, surveillance and access capacities tend to grow. The government must be mindful that, in the absence of adequate safeguards today, the privacy rights of Canadians may be harmed by function creep tomorrow as new tools and new powers are put to new uses. Any proposal to significantly expand surveillance powers without increasing independent oversight has not and, in our view, cannot be justified.

In light of the above-noted concerns, we urge the Government of Canada to both establish a Privacy and Security Taskforce and enhance the privacy protections in the “lawful access” proposals. We strongly urge you to ensure that any further changes to the law are subject to full public scrutiny and debate, and a careful and deliberative legislative process. Changes to the laws governing search, seizure, and surveillance must not only provide law enforcement with the tools to counter technologically sophisticated wrongdoing, they must also ensure that privacy rights in Canada enjoy necessary enduring protections. In particular, any new legislation should clearly provide that any personal information associated with private electronic communications data enjoys a strong legal expectation of privacy backed up by rigorous oversight.

In closing, we thank you for your efforts to consult stakeholders across Canada. In furtherance of advancing the public debate about these critical issues, we will be posting this letter on our website at web1.ipc.on.ca.. For your convenience, I attach a summary of our recommendations. If we can be of any further assistance, please do not hesitate to contact our offices.

Sincerely yours,

Ken Anderson
Assistant Commissioner (Privacy)

cc:

The Honourable Anne McLellan, Deputy Prime Minister and Minister of Public Safety and Emergency Preparedness
The Honourable David Emerson, Minister of Industry
Sheridan Scott, Commissioner of Competition
Jennifer Stoddart, Privacy Commissioner of Canada
Provincial/Territorial Privacy Commissioners and Ombuds Officers
Christopher Blain, Department of Justice



Summary of IPC/O Recommendations in Response to the Federal Government’s 2005 “Lawful Access” Consultation:

The Call for a Privacy and Security Taskforce

  1. The Office of the Ontario Information and Privacy Commissioner urges the Government of Canada to publicly commit to establishing a Privacy and Security Taskforce. Such a taskforce would draw on universities, the private sector, non-governmental organizations, and other Canadians. It would be dedicated to facilitating the development of privacy enhancing preventative measures to combat identity theft and other cyber-facilitated wrongdoing. Legislative reform should not precede such an undertaking.

The Sensitivity of the Personal Information Involved

  2. Legislation governing the search, seizure, interception, and surveillance of private electronic communications must provide strong legal privacy protections backed up by rigorous oversight.

  3. In particular, state access to the personal information associated with private electronic communications, including communication content, traffic data, as well as location data, must be subject to rigorous independent oversight.

The Oversight Necessary to Counter the Risks of Broader Surveillance and Access Powers

  The Role of Judicial Authorization and the Threshold for a Warrant

  4. Any power to issue a “production” order in respect of personal electronic communication data should be confined to investigations in respect of the list of serious offences in section 183 of the Criminal Code. Before issuing such orders, a high court judge ought to be satisfied that:
  • there are reasonable and probable grounds to believe that an offence under section 183 of the Criminal Code has been or is being committed,

  • other less intrusive investigative methods are likely to prove impracticable,

  • measures will be taken to safeguard the privacy of the personal information obtained, particularly of non-suspects, and

  • the intrusion is otherwise in the best interests of the administration of justice.
  5. “Preservation” order powers should be confined to the same list of serious offences.

  6. Any law enforcement power to compel Internet and telecommunication service providers to release “subscriber information” should be confined to clear and defined statutory grounds. In addition to requiring that peace officers document their use of this power, they should also be required to provide service providers with explicit written justification for each demand before access to the identifying layers associated with the personal “subscriber information” is granted.

  7. All those whose personal information is obtained under a surveillance and access regime should be entitled to notification at the appropriate time.

  The Role of an Independent Surveillance and Access Review Agency

  8. The Office of the Ontario Information and Privacy Commissioner calls for the creation of an independent, arm’s-length Surveillance and Access Review Agency (SARA) mandated to supervise access to this highly sensitive personal information and report annually to Parliament on the propriety of the operations of the regime. The commissioner(s) of such an agency should be an Officer of Parliament nominated by an all-party committee of the House of Commons and appointed by the Governor-in-Council with sufficient security of tenure to ensure independence and sufficient powers and resources to carry out the mandate of the Office and ensure the desired transparency and accountability.

  9. The Surveillance and Access Review Agency would superintend each intercept, surveillance, and production warrant granted in respect of private electronic communications. SARA could perform a screening function, ensuring all conditions precedent are fulfilled before an application for a judicial warrant is made. Where all of the conditions were not fulfilled, the omission would have to be rectified before the warrant application could be filed. SARA should be organized such that applications to be made on an exigent basis could be dealt with expeditiously.

  10. The Agency could also screen all police preservation and subscriber information requests, as well as vet any electronic communications custodian decisions to voluntarily disclose any personal electronic communication data to the authorities. (Electronic communication custodians would include telecommunications, banking, and web-based companies, as well as any institution, organization, or corporation that routinely handles communication data.) Voluntary disclosures would first be transmitted to SARA which would then be empowered to determine whether or not they disclosed evidence warranting disclosure to law enforcement. Under exigent circumstances, police would be able to issue a preservation order or make a subscriber information request directly to a communication custodian. However, both the police and the custodian should be required to report to SARA immediately thereafter.

  11. Bearing in mind the need to protect the integrity of any ongoing investigations, SARA would ensure the appropriate notification of any individuals whose privacy has been impacted by surveillance or production warrants, preservation or subscriber information requests, or voluntary disclosures. Contemporaneously, the authorities would be required to attest to the destruction of personal information in respect of innocent parties. Similarly, a uthorities who had received information in error or under a faulty application would report to SARA and attest to the destruction of the information.

  12. SARA would issue an annual detailed public report directly to Parliament on all aspects of the operation of a personal electronic communication surveillance and access regime including:
  • the number of warrants and requests sought, granted, and delivered in relation to both Canadian and foreign investigations;
  • any concerns about the sufficiency of the case for access, the over-breadth of materials disclosed, or the mishandling of personal information by either law enforcement or electronic communication custodians; and
  • an analysis of the offences investigated, the patterns and numbers of innocent and suspected individuals targeted, and the outcomes of the investigations.

  13. SARA would also be required to alert the relevant Attorneys General whenever it had a reasonable basis to believe that law enforcement officials or electronic communication custodians had misapplied the surveillance and access powers so as to warrant discipline, sanction, criminal prosecution, and/or policy changes. And SARA would report annually on the government’s handling of any such alerts.

  14. SARA would also be empowered to commission studies on the privacy impact of new communications technologies and personal information handling practices.

<< Back
Back to Top
To search for a specific word or phrase, use quotation marks around each search term. (Example: "body-worn cameras")