Surveillance Scandals Break as Government Seeks More Spy Powers

[Editor’s note: The federal government’s consultation on national security provides a rare opportunity for Canadians to weigh in on critical issues like Bill C-51.

The government has released a Green Paper backgrounder to shape the consultations. But the BC Civil Liberties Association notes that “in the main, it reads like it was drafted by a public relations firm tasked with selling the current state of extraordinary, unaccountable powers and if anything, laying the groundwork for extending those even further.”

In response, the association has prepared its own series of Green Papers to help you consider an online submission to the national security consultation before the Dec. 1 deadline. The Tyee is pleased to republish the series with permission from the BCCLA.]

Quebec has just announced a public inquiry examining admissions by the province’s two largest police forces that they have been spying on journalists. These revelations are timely, to say the least.

Because while Canadians read news reports of how previously expanded police surveillance powers (warrants for GPS monitoring and tracking) have been undermining press freedom, the federal government is gearing up to expand police and intelligence surveillance powers even further.

To the dismay of Canadians hoping to have good faith discussions about dangerously expanded and unaccountable state powers, the government’s Green Paper for the National Security Consultation includes a sales pitch for a laundry list of further expanded state surveillance powers.

Some of the specific ideas in the paper include:

1) Basic subscriber information: Giving police and intelligence agencies information about telecommunications customers without a warrant.

2) Data retention: Creating a requirement that telecommunications providers store messages and other communications in case police or intelligence agencies want to access them at a later time.

3) Compelled password production: Creating a legal procedure that would compel a person or organization to reveal passwords and decrypt material.

None of these proposals relates exclusively or even mainly to national security. They are all expansions of powers that would apply to all police agencies.

And nowhere in the “digital investigations” section of the Green Paper do we find a discussion of the need for appropriate constraint and oversight of the secretly used surveillance technologies that have been the subject of breaking news across the country for much of the last year, like police use of Stingray devices to scoop up data from cellphones.

Basic subscriber information

For more than a decade there has been a fierce battle about police accessing what is called basic subscriber information from telecommunications companies. This information can include customers’ names, addresses, phone numbers, email addresses, Internet Protocol (IP) addresses and mobile devices’ unique identifiers. The battle has been about what kind of legal protection this information should have. And that depends on whether customers have a “reasonable expectation of privacy” in this information.

As Chris Parsons and Tamir Israel explain, this information can potentially expose not only a detailed biographical profile, but a rough map of your physical locations. In other words, it’s not “basic” in the least. And in 2014 the Supreme Court of Canada agreed in a case called R. v. Spencer.

Since that time we have known without question that there is a significant privacy interest in this information and it should not be available to police for the asking. There’s a pretty standard procedure for dealing with these situations and it’s called a warrant. But the Green Paper seemingly argues against warrants, pointing out that in some countries police and intelligence agencies can access basic subscriber information without going to court.

There is reason to think that the police might be lobbying for a procedure in which they themselves would provide the “warrant” for obtaining basic subscriber information. That is, an investigating officer would go to a designated officer, gives reasons and get authorization.

Would such “self-authorization” be a sufficient constitutional protection for information that can track you online and in the physical world? Assuredly not.

The bottom line: Basic subscriber information must be protected by court oversight on a standard appropriate to its significant privacy interest.

Data retention

The police already have the power to get a preservation order, which is available from a judge on a low standard and allows the police to require preservation of information in cases, for example, in which it will take time to get a search warrant and the information is in danger of being destroyed.

What the Green Paper asks is whether telecommunications companies should be required to retain data for long periods of time, just in case the police need it. Rather like a global preservation order.

Retaining data that isn’t needed for business purposes creates a security risk.

But concerns go beyond data security, as illustrated by the 2014 Court of Justice of the European Union striking down the EU “Data Retention Directive” because the blanket retention of innocent persons’ data violates the EU Charter of Fundamental Rights. It is at least possible that it would violate our charter as well. So at the very minimum, we need to hear from law enforcement as to why preservation orders are insufficient and understand the magnitude of the problems they allege with the current system.

The bottom line: Evidence must be produced to show that current powers are insufficient before any consideration is given to a policy that has already been rejected in Europe as a violation of fundamental rights.

Compelled production of passwords/decryption

It is now common to hear law enforcement state that encryption is a barrier to their investigations. However, our entire digitally mediated world requires strong security, so increasingly the idea of weakening encryption is a non-starter. We have too great a need for cyber-security to undermine it. So it is perhaps unsurprising that the notion of a court-compelled password/decrypting power is being vetted.

The problem with the proposal is that it rests on a violation of one of our most fundamental rights. Even if you have no notion of what’s in the charter, you would know one thing for certain from watching police shows on TV: you have the right to remain silent. This is our right against self-incrimination and it has been called “the organizing principle of our criminal justice system.”

It is very difficult to imagine how a compelled password-type law could be constitutional.

The bottom line: No proposal should even be explored until we have court decisions on compelled passwords in the context of inspections by Canadian Border Services Agency agents. These are cases that are already in play and will provide important guidance. If compelled passwords aren’t constitutional in the border setting, they certainly won’t be constitutional in the setting of the ordinary criminal law.

The need for mass surveillance warrants and Stingrays

In 2016 we learned that police in all parts of the country had used devices known colloquially as “Stingrays” which intercept cellphone data. Our understanding of the procedures being followed for authorizations of these mass surveillance tools (they gather data of all of the people in a given radius) is sketchy. What little we know indicates that the police may be getting court authorizations, but we have reason to believe that those authorizations are likely over-broad and leave the matter of what to do with the hundreds or thousands of people’s data that are not the subject of the search entirely to the discretion of the police.

We know that the police are using these devices, although they largely maintain (absurdly at this point) a “neither confirm nor deny” stance. We don’t know whether CSIS is using these devices, but we do know that CSIS refuses to even confirm to Parliament whether it takes the position that it requires a warrant if it were to use such devices. That CSIS will not answer this fundamental question about its own accountability is as shocking as it is (at this juncture) unsurprising.

The bottom line: We have mass-surveillance technologies (like Stingrays) and we have mass surveillance techniques (like “tower dumps” — police using production orders for phone records of masses of people) and both present unique challenges, in particular with respect to all the innocent people’s data that is incidentally scooped up. We need a special warrant process for mass surveillance technologies and techniques to ensure that rights are properly protected and these processes aren’t being abused.

How concerned should we be about processes being abused?

This week’s headline about the spying-on-journalists scandal provided some timely reflection on what happens when “things go wrong.”

But it doesn’t answer the question of how often “things go wrong?”

Interestingly enough, another headline from the same day points to the answer. It’s about illegal mass data collection and CSIS breaching its duty of candour to the court for years.

It’s the afternoon headline.

Read part one of this series, on No-Fly Lists, here, part two, on criminalizing free speech, here, part three, on secret police, here and part four, on police spying, here.