Minding Your Business: A Critical Analysis of the Collection of De-identified Mobility Data and Its Use Under Socially Beneficial and Legitimate Business Exemptions in Canadian Privacy Law

Earlier this month Amanda Cutinha and I published a report, entitled “Minding Your Business: A Critical Analysis of the Collection of De-identified Mobility Data and Its Use Under Socially Beneficial and Legitimate Business Exemptions in Canadian Privacy Law.” In it, we examine how the Government of Canada obtained and used mobility data over the course of the COVID-19 pandemic, and use that recent history to analyse and critique the Consumer Privacy Protection Act (CPPA).

The report provides a detailed summary of how mobility information was collected as well as a legal analysis of why the collection and use of this information likely conformed with the Privacy Act as well as the Personal Information Protection and Electronic Documents Act (PIPEDA). We use this conformity to highlight a series of latent governance challenges in PIPEDA, namely:

  1. PIPEDA fails to adequately protect the privacy interests at stake with de-identified and aggregated data despite risks that are associated with re-identification.
  2. PIPEDA lacks requirements that individuals be informed of how their data is de-identified or used for secondary purposes.
  3. PIPEDA does not enable individuals or communities to substantively prevent harmful impacts of data sharing with the government.
  4. PIPEDA lacks sufficient checks and balances to ensure that meaningful consent is obtained to collect, use, or disclose de-identified data.
  5. PIPEDA does not account for Indigenous data sovereignty nor does it account for Indigenous sovereignty principles in the United Nations Declaration on the Rights of Indigenous Peoples, which has been adopted by Canada.
  6. PIPEDA generally lacks sufficient enforcement mechanisms.

We leverage these governance challenges to, subsequently, analyse and suggest amendments to the CPPA. Our report’s 19 amendments would affect:

  1. Governance of de-identified data
  2. Enhancing knowledge and consent requirements surrounding the socially beneficial purposes exemption and legitimate interest exemption
  3. Meaningful consent for secondary uses
  4. Indigenous sovereignty
  5. Enforcement mechanisms
  6. Accessibility and corporate transparency

While we frankly believe that the legislation should be withdrawn and re-drafted with human rights as the guide stone of the legislation we also recognise that this is unlikely to happen. As such, our amendments are meant to round off some of the sharp edges of the legislation, though we also recognise that further amendments to other parts of the legislation are likely required.

Ultimately, if the government of Canada is truly serious about ensuring that individuals and communities are involved in developing policies pursuant to themselves and their communities, ameliorating disadvantages faced by marginalized residents of Canada, and committing to reconciliation with Indigenous populations, it will commit to serious amendments of C-27 and the CPPA. Our recommendations are made in the spirit of addressing the gaps in this new legislation that are laid bare when assessing how it intersects with Health Canada’s historical use of locational information. They are, however, only a start toward the necessary amendments for this legislation.

Executive Summary

The Government of Canada obtained de-identified and aggregated mobility data from private companies for the socially beneficial purpose of trying to understand and combat the spread of COVID-19. This collection began as early as March 2020, and the information was provided by Telus and BlueDot. It wasn’t until December 2021, after the government issued a request for proposals for cellular tower information that would extend the collection of mobility information, that the public became widely aware of the practice. Parliamentary meetings into the government’s collection of mobility data began shortly thereafter, and a key finding was that Canada’s existing privacy legislation is largely ineffective in managing the collection, use, and disclosure of data in a manner that recognizes the privacy rights of individuals. In spite of this finding, the federal government introduced Bill C-27: An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts in June 2022 which, if passed into law, will fail to correct existing deficiencies in Canada’s federal commercial privacy law. In particular, Bill C-27 would make explicit that the government can continue collecting information, including mobility data from private organizations, so long as uses were socially beneficial and without clearly demarcating what will or will not constitute such uses in the future.

This report, “Minding Your Business: A Critical Analysis of the Collection of De-identified Mobility Data and Its Use Under the Socially Beneficial and Legitimate Interest Exemptions in Canadian Privacy Law,” critically assesses the government’s existing practice of collecting mobility information for socially beneficial purposes as well as private organizations’ ability to collect and use personal information without first obtaining consent from individuals or providing them with knowledge of the commercial activities. It uses examples raised during the COVID-19 pandemic to propose 19 legislative amendments to Bill C-27. These amendments would enhance corporate and government accountability for the collection, use, and disclosure of information about Canadian residents and communities, including for so-called de-identified information.

Part 1 provides a background of key privacy issues that were linked to collecting mobility data during the COVID-19 pandemic. We pay specific attention to the implementation of new technologies to collect, use, and disclose data, such as those used for contact-tracing applications and those that foreign governments used to collect mobility information from telecommunications carriers. We also attend to the concerns that are linked to collecting location information and why there is a consequent need to develop robust governance frameworks.

Part 2 focuses on the collection of mobility data in Canada. It outlines what is presently known about how Telus and BlueDot collected the mobility information that was subsequently disclosed to the government in aggregated and de-identified formats, and it discusses the key concerns raised in meetings held by the Standing Committee on Access to Information, Privacy and Ethics. The Committee’s meetings and final report make clear that there was an absence of appropriate public communication from the federal government about its collection of mobility information as well as a failure to meaningfully consult with the Office of the Privacy Commissioner of Canada. The Government of Canada also failed to verify that Telus and BlueDot had obtained meaningful consent prior to receiving data that was used to generate insights into Canadian residents’ activities during the pandemic.

Part 3 explores the lawfulness of the collection of mobility data by BlueDot and Telus and the disclosure of the data to the Public Health Agency of Canada under existing federal privacy law. Overall, we find that BlueDot and Telus likely complied with current privacy legislation. The assessment of the lawfulness of BlueDot and Telus’ activities serves to reveal deficiencies in Canada’s two pieces of federal privacy legislation, the Privacy Actand the Personal Information Protection and Electronic Documents Act (PIPEDA).

In Part 4, we identify six thematic deficiencies in Canada’s commercial privacy legislation:

  1. PIPEDA fails to adequately protect the privacy interests at stake with de-identified and aggregated data despite risks that are associated with re-identification.
  2. PIPEDA lacks requirements that individuals be informed of how their data is de-identified or used for secondary purposes.
  3. PIPEDA does not enable individuals or communities to substantively prevent harmful impacts of data sharing with the government.
  4. PIPEDA lacks sufficient checks and balances to ensure that meaningful consent is obtained to collect, use, or disclose de-identified data.
  5. PIPEDA does not account for Indigenous data sovereignty nor does it account for Indigenous sovereignty principles in the United Nations Declaration on the Rights of Indigenous Peoples, which has been adopted by Canada.
  6. PIPEDA generally lacks sufficient enforcement mechanisms.

The Government of Canada has introduced the Consumer Privacy Protection Act (CPPA) in Bill C-27 to replace PIPEDA. Part 5 demonstrates that Bill C-27 does not adequately ameliorate the deficiencies of PIPEDA as discussed in Part 4. Throughout, Part 5 offers corrective recommendations to the Consumer Privacy Protection Act that would alleviate many of the thematic issues facing PIPEDA and, by extension, the CPPA.

The federal government and private organizations envision the Consumer Privacy Protection Act as permitting private individuals’ and communities’ data to be exploited for the benefit of the economy and society alike. The legislation includes exceptions to consent and sometimes waives the protections that would normally be associated with de-identified data, where such exemptions could advance socially beneficial purposes or legitimate business interests. While neither the government nor private business necessarily intend to use de-identified information to injure, endanger, or negatively affect the persons and communities from whom the data is obtained, the breadth of potential socially beneficial purposes means that future governments will have a wide ambit to define the conceptual and practical meaning of these purposes. Some governments, as an example, might analyze de-identified data to assess how far people must travel to obtain abortion-care services and, subsequently, recognize that more services are required. Other governments could use the same de-identified mobility data and come to the opposite conclusion and selectively adopt policies to impair access to such services. This is but one of many examples. There are similar, though not identical, dangers that may arise should private organizations be able to collect or use an individual’s personal information without their consent under the legitimate interest exemption in the CPPA. Specifically, this exemption would let private organizations determine whether the collection or use of personal information outweighs the adverse effects of doing so, with the individuals and communities affected being left unaware of how personal information was collected or used, and thus unable to oppose collections or uses with which they disagree.

Parliamentary committees, the Office of the Privacy Commissioner of Canada, Canadian academics, and civil society organizations have all called for the federal government to amend federal privacy legislation. As presently drafted, however, the Consumer Privacy Protection Act would reaffirm existing deficiencies that exist in Canadian law while opening the door to expanded data collection, use, and disclosure by private organizations to the federal government without sufficient accountability or transparency safeguards while, simultaneously, empowering private organizations to collect and use personal information without prior consent or knowledge. Such safeguards must be added in legislative amendments or Canada’s new privacy legislation will continue the trend of inadequately protecting individuals and communities from the adverse effects of using de-identified data to advance so-called socially beneficial purposes or using personal information for ostensibly legitimate business purposes.

Cybersecurity Will Not Thrive in Darkness: A Critical Analysis of Proposed Amendments in Bill C-26 to the Telecommunications Act

Last month I published a report, “Cybersecurity Will Not Thrive in Darkness: A Critical Analysis of Proposed Amendments in Bill C-26 to the Telecommunications Act.” The report undertakes a critical analysis of Bill C-26 which would empower the government to compel critical infrastructure companies to undertake (or refrain from taking) activities the government was of the opinion would enhance the security of Canada’ critical infrastructure. The report begins by offering a background to why this legislation is seen as necessary by the government and, then, proceeds to assess the elements of the legislation which would modify the Telecommunications Act. Specifically, it focuses on issues associated with:

  • Compelling or directing modifications to organizations’ technical or business activities
  • Secrecy and absence of transparency or accountability provisions
  • Deficient judicial review processes
  • Extensive information sharing within and beyond Canadian agencies
  • Costs associated with security compliance
  • Vague drafting language

30 different recommendations are offered that, if adopted, would leave the government able to compel telecommunications companies to modify their practices while, simultaneously, imbuing the legislation with additional nuance, restraint, and accountability provisions. As drafted, today, the legislation prioritises secrecy at the expense of democratic accountability and would establish law that empowered actions which were unpredictable to private organizations and residents of Canada alike. The effect would be to empower the government to undertake lawful, if democratically illegible, activities. Cybersecurity requires a high degree of transparency and dialogue to be successfully implemented. Security can be and must be aligned with Canada’s democratic principles. It is now up to the government to amend its legislation in accordance with them.

Executive Summary

On June 14, 2022, the Government of Canada introduced “Bill C-26: An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts.” If passed into law, it will significantly reform the Telecommunications Act as well as impose new requirements on federally regulated critical infrastructure providers. This report, “Cybersecurity Will Not Thrive in Darkness: A Critical Analysis of Proposed Amendments in Bill C-26 to the Telecommunications Act,” offers 30 recommendations to the draft legislation in an effort to correct its secrecy and accountability deficiencies, while suggesting amendments that would impose some restrictions on the range of powers that the government would be able to wield. These amendments must be seriously taken up because of the sweeping nature of the legislation.

As drafted at time of writing, Bill C-26 would empower the Minister of Industry to compel telecommunications providers to do or refrain from doing anything in the service of securing Canadian telecommunications networks against the threats of interference, manipulation, or disruption. The legislation would authorize the Minister to compel providers to disclose confidential information and then enable the Minister to circulate it widely within the federal government; this information could potentially include either identifiable or de-identified personal information. Moreover, the Minister could share non-confidential information internationally even when doing so could result in regulatory processes or private right of actions against an individual or organization. Should the Minister or other party to whom the Minister shares information unintentionally lose control of the information, there would be no liability attached to the government for the accident.

Where orders or regulations are issued, they would not need to be published in the Canadian Gazette and gags could be attached to the recipients of such orders. There may even be situations where the government could issue an order or regulation, with the aforementioned publication ban and gag, that runs counter to a decision by the Canadian Radio-television and Telecommunications Commission (CRTC) and that overrides aspects of that decision. And in any cases where a telecommunications provider seeks judicial review, it might never see the evidence used to justify an order or regulation. However, if a telecommunications provider is found to have deliberately ignored or failed to adhere to an order, then either the individuals who directed the action or the telecommunications provider could suffer administrative monetary penalties.

This report, in summary, identifies and analyzes a series of deficiencies in Bill C-26 as it is presently drafted:

  • The breadth of what the government might order a telecommunications provider to do is not sufficiently bounded.
  • The excessive secrecy and confidentiality provisions imposed on telecommunications providers threaten to establish a class of secret law and regulations.
  • Significant potential exists for excessive information sharing within the federal government as well as with international partners.
  • Costs associated with compliance with reforms may endanger the viability of smaller providers.
  • Vague drafting language means that the full contours of the legislation cannot be assessed.
  • No recognition of privacy or other Charter-protected rights exists as a counterbalance to proposed security requirements nor are appropriate accountability or transparency requirements imposed on the government.
  • Even if it is presumed that the government does need the ability to encourage or compel telecommunications providers to modify their technical or business operations to enhance the security of their services and facilities, it is readily apparent that more transparency and accountability should be required of the government. All of the recommendations in this report are meant to address some of the existent problems in the legislation.

Should these recommendations or ones derived from them not be taken up, then the government will be creating legislation of the worst kind insofar as it will require the public—and telecommunications providers—to simply trust that the government knows what it is doing, is reaching the right decisions, and that no need exists for a broader public discussion concerning the kinds of protections that should be put in place to protect the cybersecurity of Canada’s telecommunications networks. Cybersecurity cannot thrive on secretive and shadowy government edicts. The government must amend its legislation to ensure its activities comport with Canada’s democratic values and the norms of transparency and accountability.

Unpacking the CSE’s 2021-2022 Annual Report

black binocular on round device
Photo by Skitterphoto on Pexels.com

The Communications Security Establishment (CSE) released its 2021-2022 Annual report on June 28, 2022.1 The CSE is Canada’s leading foreign signals intelligence and cryptologic agency. It is specifically tasked with collecting foreign intelligence, defending government of Canada networks as well as private networks and systems deemed of importance by the government, providing assistance to federal partners, and conducting active and defensive cyber operations.2 The CSE operates as a Canadian equivalent to the United Kingdom’s GCHQ.

Five things stood out to me in the annual report:

  1. It provides more details about the kinds of active and defensive cyber operations that the CSE has undertaken while also clarifying when such operations might take place. This information is important given the potentially deleterious or unintended impacts of the CSE exercising these capabilities. It is, however, worth recognizing that the CSE is casting these activities as preventative in nature and does not include a legal discussion about these kinds of operations.
  2. The report extensively discusses threats to critical infrastructure and the activities that the CSE is undertaking to defend against, mitigate, or remediate such threats. Many of the currently voluntary engagements between the CSE and industry partners could become compulsory (or, at a minimum, less voluntary), in the future, should Canada’s recently tabled infrastructure security legislation be passed into law.
  3. We generally see a significant focus on the defensive side of the CSE’s activities, vis-a-vis the Cyber Centre. This obscures the fact that the majority of the agency’s budget is allocated towards supporting the CSE’s foreign intelligence and active/defensive cyber operations teams. The report, thus, is selectively revelatory.
  4. No real discussion takes place to make clear to readers how aspects of the CSE’s foreign intelligence, cybersecurity/information assurance, assistance, or active or defensive cyber operations authorities may interoperate with one another. The result is that readers are left uncertain about how combinations of authorities might enable broader operations than are otherwise self-apparent.
  5. As I raise at several points when analyzing the annual report there are a number of situations where information in the annual report risks concealing the broader range(s) of actions that the CSE may undertake. Readers of the annual report are thus advised to critically assess the annual report and read what it specifically says instead of what it may imply.

In this post, I proceed in the order of the report and adopt the headlines it used to structure content. After summarizing some of the highlight elements in a given section I proceed with a short discussion of the relevant section. The post concludes with a broader assessment of the annual report, what was learned, and where more information is desirable in the future.

Continue reading

The Policy and Political Implications of ‘Securing Canada’s Telecommunications Systems’

silhouette photo of transmission tower on hill
Photo by Troy Squillaci on Pexels.com

Many of Canada’s closest allies have either firmly or softly blocked Huawei and ZTE from selling telecommunications equipment to Internet service providers in their countries over the past several years. After repeated statements from Canadian government officials that a review of Huawei equipment was ongoing, on May 19, 2022 the government announced its own bans on Huawei and ZTE equipment. The government published an accompanying policy statement from Innovation, Science, and Economic Development (ISED) Canada on the same day.

This post begins by summarizing the possible risks that Chinese vendors might pose to Canadian networks. Next, it moves to discuss the current positions of Canada’s closest allies as well as Canada’s actions and statements pertaining to Chinese telecommunications vendors leading up to the May 2022 announcement. It then proceeds to unpack the government’s “Securing Canada’s Telecommunications System” policy statement. Some highlight findings include:

  • The government is unclear when it refers to “supply chain breaches”;
  • The government may be banning Huawei and ZTE principally on the basis of American export restrictions placed on Chinese vendors and, thus, be following the same model as the United Kingdom which was forced to ban Huawei following American actions; and
  • Establishing the security and protection of telecommunications systems as an “overriding objective” of Canadian telecommunications policy could have long-term implications for Canadians’ privacy interests.

The post concludes by discussing the policy and political implications of the policy statement, why any telecommunications security reforms must not be accompanied by broader national security and law enforcement reforms, and why the Canadian government should work with allied and friendly countries to collectively assess telecommunications equipment.

Continue reading

Findings and Absences in Canada’s (Draft) International Cybersecurity Strategy

low angle photography of high rise building
Photo by Andre Furtado on Pexels.com

For several years there have been repeated calls by academics and other experts for the Government of Canada to develop and publish a foreign policy strategy. There have also been recent warnings about the implications of lacking such a strategy. Broadly, a foreign policy strategy is needed for Canada to promote and defend its interests effectively.

Not only has the Government of Canada failed to produce a foreign policy strategy but, also, it has failed to produce even a more limited strategy that expresses how Canada will develop or implement the cyber dimensions of its foreign policy. The government itself has been aware of the need to develop a cyber foreign policy since at least 2010.1

As I have previously written with colleagues, an articulation of such a cybersecurity strategy is necessary because it is “inherently a discussion of political philosophy; not all actors share the same understanding of what is, or should be, the object of security, nor is there necessarily a shared understanding of what constitutes a threat.” To clearly and explicitly assert its underlying political values Canada needs to produce a coherent and holistic cyber foreign policy strategy.

On May 18, 2021 the Chief of the Communications Security Establishment, Shelly Bruce, stated that Global Affairs Canada (GAC) was leading the development of “Canada’s International Cybersecurity Strategy and our Diplomacy Initiative.” I subsequently filed an ATIP for it and received the relevant documents on March 31, 2022.2 GAC’s response included successive drafts of “Canada’s International Cybersecurity Strategy and our Diplomacy Initiative” (hereafter the ‘Strategy’ or ‘CICSDI’) from January 2021 to May 2021.

Some of my key findings from the CICSDI include:

  1. The May 2021 draft links the scope of the Strategy to order and prosperity as opposed to advancing human rights or Canadian values.
  2. The May 2021 draft struck language that Canadians and Canadian organisations “should not be expected to independently defend themselves against state or state-backed actors. There are steps only government can take to reduce cyber threats from state actors”. The effect may be to reduce the explicit expectation or requirement of government organisations to assist in mitigating nation-state operations towards private individuals and organisations.
  3. The May 2021 draft struck language that GAC would create a cyber stakeholder engagement action plan as well as language that GAC would leverage its expertise to assist other government departments and agencies on engagement priorities and to coordinate international outreach.
  4. None of the drafts include explicit reference to pressing international issues, including: availability of strong encryption, proliferation of cyber mercenaries, availability and use of dual-use technologies, online harms and disinformation, authoritarian governments’ attempts to lead and influence standards bodies, establishing a unit in GAC dealing with cyber issues that would be equivalent to the US State Department’s Bureau of Cyberspace and Digital Policy, or cyber operations and international law.
  5. None of the drafts make a positive case for what would entail an appropriate or responsible use of malware for cyber operations.

In this post I summarise the highlights in the drafts of the Strategy and, then, proceed to point to larger language and/or policy shifts across successive drafts of the CICSDI. I conclude by discussing some policy issues that were not mentioned in the drafts I obtained. While the draft has never been promulgated and consequently does not formally represent Canada’s foreign cybersecurity strategy it does present how GAC and the government more broadly conceptualised elements of such a strategy as of early- to mid-2021.

Continue reading

Unpacking NSICOP’s Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack

grayscale photo of man and woman hacking a computer system
Photo by Tima Miroshnichenko on Pexels.com

On February 14, 2022, the National Security and Intelligence Committee of Parliamentarians (NSICOP) released a report that explored how the Government of Canada sought to defend its systems and networks from cyber attack from 2001 onwards.1 The report provides a comprehensive account of how elements of the Government of Canada–namely the Treasury Board Secretariat (TBS), Shared Services Canada (SSC) and Communications Security Establishment (CSE)–have developed policies, procedures, and techniques to protect government systems, as well as the iterative learning processes that have occurred over the past two decades or so pertaining to governmental cyber defence activities.

I want to highlight four core things that emerge from my reading of the report:

  1. From an empirical point of view, it’s useful to know that the Government of Canada is preparing both a policy on paying ransomware operators as well as developing a Vulnerabilities Disclosure Policy (VDP) though the report does not indicate when either will be open to public comment or transformed into formal government policy;
  2. A high-level discussion of senior coordination committees is provided, though without an accompanying analysis of how effective these committees are in practice. In particular, the report does not discuss how, as an example, cross-departmental committees are working to overcome problems that are raised in the sections of the report focused on TBS, SSC, or the CSE;
  3. NSICOP maintains that all parties associated with the government–from Crown corporations, to government agencies, to other independent branches of government–should operate under the government’s security umbrella. NSICOP does not, however, make a constitutional argument for why this should be done nor assess the operational reasons for why agencies may not currently operate under this umbrella. Instead, the report narrowly argues there are minimal privacy impacts associated with enjoying the government’s cyber security protections. In doing so, the committee presumes that privacy concerns have driven separate branches of governments to operate outside policies set by TBS, and services offered by SSC and the CSE. At no point did the Committee engage with the Office of the Privacy Commissioner of Canada (OPC) to assess potential privacy issues associated with the government’s cyber security policies and practices; and
  4. NSICOP did not canvas a wide set of government agencies in their interviews and included no external-to-government parties. The consequence is that the report does not provide needed context for why some government agencies refuse to adopt TBS policy guidance or regulations, decline services operated by SSC, or have limited uptake or adoption of advice or technical systems offered by the CSE. The consequence is that this report does nothing to substantively assess challenges in how TBS, SSC, or the CSE themselves are deploying their defensive capacities across government based on the experiences of those on the receiving end of the proffered cyber security and defence offerings.

In this post, I conduct a deep dive into NSICOP’s report, entitled “National Security and Intelligence Committee of Parliamentarians Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack.” Throughout, I summarize a given section of the report before offering some analysis of it. In the conclusion of this post I summarize some of the broader concerns associated with the report, itself, as well as the broader implications these concerns may have for NSICOP’s long-term viability as an independent reviewer of the national security community.

Continue reading