Lawful Access, Its Potentials, and Its Lack of Necessity

Image by mattwi1s0n

New surveillance powers are typically framed using benevolent and/or patriotic languages. In the United States, we see the PATRIOT Act, the Stored Communications Act, and National Security Letters. Powers associated with this surveillance assemblage have been abused and people have been spied upon in violation of the law, bureaucratic procedure, and regardless of demonstrating real and present dangers. The UK has the Regulation of Investigatory Powers Act (RIPA), which significantly expanded the capabilities of police and intelligence to monitor citizens in previously illegal ways. This legislation is also used improperly, as revealed in the yearly reports from the Interception Commissioner. In Canada, the Canadian government has publicly stated its intention to press ahead and introduce its lawful access legislation despite concerns raised by the public, members of the advocacy and academic community, and the information and privacy commissioners of Canada. Here, we can also expect uses of lawful access powers to overstep stated intents and infringe on Canadians’ rights, intrude upon their privacy, and injure their dignity.

Over the past months I’ve been actively involved in working with, and talking to, other parties about lawful access legislation. This has included speaking with members of the media, publishing an op-ed, and conducting various private discussions with stakeholders around Canada who are concerned about what this legislation may (and may not) mean. Today, in the interests of making public some of the topics of these discussions, I want to address a few things. First, I quickly summarize key elements of the lawful access legislation. Next, I note some of the potentials for how lawful access powers will likely be used. None of the potentials that I identify depend on ‘next generation’ technologies or data management/mining procedures: only technologies that exist and are in operation today are used as mini-cases. None of the cases that I outline offer significant insight into the operational working of stakeholders I’ve spoken with that can’t be reproduced from public research and records. I conclude by questioning the actual need for the expanded powers.

What is Lawful Access?

Lawful access legislation enhances policing and intelligence powers. As recognized by Ontario’s Information and Privacy Commissioner, Ann Cavoukian, “it is highly misleading to call it “lawful.” Let’s call it what it is – a system of expanded surveillance.” In general, there are three classes of access powers associated with such legislation: search and seizure provisions, interception of privacy communications powers, and production of subscriber data. On the basis of past lawful access legislation that has been tabled, but not passed, we can expect forthcoming legislation to ‘modernize’ the existing criminal code to accommodate several of these powers.

To begin, the legislation is expected to require telecommunications service providers (such as Internet service providers, web forums, bloggers, etc) to be able to decrypt any communications they are responsible for encrypting. Such encryption services might be used to ensure customer privacy, such as by offering secured communications between parties. While communications may generally be secure they cannot legally be made secure from the government by a service provider offering a turnkey encryption solution. In effect, communications will thus be pseudoencrypted: protected against adversaries with the same level of power as the services’ users, but unprotected against the more powerful agents such as the state.

In addition, telecommunications service providers (TSPs) will need the ability to retain data on subscribers for up to 90 days. TSPs may be served with preservation orders, which would require them to retain data on specific individuals. Preserved data would be transferred to authorities once they have secured a production order from a judge and issued the order to the TSP. The TSP could then delete/destroy the preserved data.

Whereas preservation orders are used to require storage of the content of communications, police can access subscriber information without first receiving a court order. A wide variety of information may be disclosed, including:

  • name
  • address
  • telephone number
  • electronic mail address
  • Internet protocol address
  • mobile identification number
  • electronic serial number
  • local service provider identifier
  • international mobile equipment identity number
  • international mobile subscriber identity number
  • subscribe identity module card number associated with the subscribers’ service and equipment

This information lets authorities definitely identify individuals and the records held on them by the TSPs used in the communications process. Accompanying the no-warrant-required elements of the bills is a capacity for authorities to install ‘number recorders’ in TSPs’ communications hubs in exigent circumstances. As noted by the National Post’s Kathryn Blaze Carlson:

A number recorder, which records the telephone numbers associated with outgoing and incoming calls, would be installed remotely by a telecommunications provider at their call centre hub. The installation can last up to 60 days, but it could be extended to one year if a warrant is obtained and if the investigation involves organized crime or terrorism.

The legislation also introduces the ability to activate and/or monitor the signals emitted from location-enabled devices that Canadians carry with them or are in regular contact with. Police can do this today but lawful access legislation would permit them to activate disabled locational systems (e.g. your phone’s GPS) including in covert ways. Such actions could be undertaken with court supervision or, potentially, in instances of emergency or exigent circumstances. It should be noted that access to geolocatational information is more expansive than just your physical location at a particular time: the legislation is also intended to let authorities discover the location of “transactions such as geo‐tagged comments or photos from private sector service providers.” (.pdf source).

It is unlikely that a targeted Canadian will be made aware of lawful access-enabled surveillance unless charges are brought to bear. As noted in the letter that was sent to the Prime Minister’s Office in August 2011 (.pdf), and re-confirmed in Blaze’s piece, there are elements of the legislation that impose ‘gag’ orders on anyone who is ordered to comply with lawful access powers. Specifically,

Clause 6(2) permits the government to impose, in regulations, sweeping and categorical confidentiality obligations on service providers that will apply across all interception warrants. Second, under Clause 71, any telecommunications service provider obligated to comply with a warrantless seizure request will be subject to the secrecy provisions in proposed section 7.4 of PIPEDA. Proposed section 7.4 of PIPEDA prevents organizations from disclosing the fact of their cooperation with state efforts to spy on their customers. The sweeping nature of the secrecy measures envisioned by these provisions is in stark contrast to existing practice, where gag orders must be requested from a judge and justified on a case by case basis. The problem with such measures is that they will prevent individuals from challenging abuses of the powers granted in this Bill.

Lawful Access, In Summary

As I wrote in an op-ed in the Vancouver Sun in October, this legislation can be summarized as requiring:

  • Corporate surveillance. Internet service providers, mobile phone providers, and even the websites that Canadians visit could become agents of the state, forced to preserve records of Canadians’ actions at the request of authorities (Source);
  • Minimal oversight. Audit powers will be offloaded to privacy commissioners without corresponding material or legislative resources to effectively conduct audits and limit abuse (Source);
  • Warrantless disclosures. Internet users’ subscriber information will be disclosed to authorities, regardless of the information’s usefulness or uselessness to an investigation (Source);
  • Secrecy orders. Authorities might collect Canadians’ private information without those Canadians ever knowing about the collection or the reasons for collecting it (.pdf Source).

Lawful Access in Practice

A large number of Canadians who look at these proposals may feel some unease but then quickly assert that the legislation is ultimately innocuous. The standard rhetoric is that “If you have nothing to hide then you shouldn’t fear this legislation.” Such a statement obfuscates the realities of both contemporary policing and what studies demonstrate about how people actually versus rhetorically understand privacy. To begin, contemporary policing is deeply invested in identifying deviant behaviour and acting upon it in an ‘actuarial’ manner. David Lyon, a world-leading scholar on the topic and issue of surveillance, presciently wrote the following back in 2003:

As with database marketing, the policing systems are symptomatic of broader trends. In this case the trend is towards attempted prediction and pre-emption of behaviours, and of a shift to what is called “actuarial justice” in which communications of knowledge about probabilities plays a greatly increased role in assessments of risk (Lyon 2003: 15-16).

Thus, mistakenly being situated in a wrong category can have significant implications on one’s life regardless of whether a person has ‘something to hide’ or not. The degree to which one is public is (arguably) secondary to the ‘types’ of people one knowingly and unknowingly associates with, whom their associates are connected to, and the risk profiles that are assigned to those communicative partners and their colleagues. To make this somewhat clearer, consider the following: In college/university/your private life you likely communicate with individuals who have, or presently do, agitate peacefully against certain state behaviours. You may or may not be aware that those individuals agitate. Perhaps you have/do engage in discussions with those people online, either on websites that those opposed to certain state behaviours, or in the comments section of newspaper articles, or other electronic formats. Should the police be interested in tracking the individuals invested in an issue (e.g. legalization of marijuana, legal issues surrounding sex work in Canada, protest against federal decisions concerning Sri Lanken immigrants, etc) then they may request available subscriber records for all who have participated in the online discussion.

Now, let’s again assume that you were not supportive of opposition to an official government position and thus aren’t necessarily of direct interest to authorities. Regardless, your subscriber data and that of everyone else engaged in these discussions might be requested by the police. No warrant is required to provide this information. Let’s assume that you used a unique pseudonym and throwaway email address. The authorities would gain access to your IP address and email address. They would get the same information for every participant of the discussion. With this information they could turn to whomever provided the email account, as well as contact the ISP who provisioned the IP address at the specific time that you posted your message. With information from the email provider they may be able to definitely identify the ISP that you use and, from there, your name, address, and so forth. Thus, you as ‘hungrybunny19’ are identified as ‘John Smith’ who was involved in discussion with individuals who authorities are interested in monitoring for some reason or another. John Smith, you, are subsequently added into a database as associating with persons the authorities find questionable. Mr. Smith will never know that he was added into such a database because the service provide could not legally disclose that the information had been released and, as a result, Mr. Smith’s life prospects may change for legally associating and speaking with those who were similarly engaged in legal speech and association.

Perhaps you insist that this doesn’t describe you: you would never communicate about anything in any electronic environment with any person that would ever be of interest to authorities (and, if you can make and stand by these claims, you’re vetting the people that you speak with using intelligence-service-level thoroughness!). Perhaps you have a cellular phone and you have passed near major events that the police have an interest in monitoring. For example: you may have been involved in peacefully assembling during the G20 in Toronto, been a passive spectator at the Vancouver riots, visited an Occupy camp, or may simply pass by union members who are protesting working conditions in a public space several times a day as you walk around your city conducting legitimate personal business. In all cases, the authorities may have an interest in monitoring individuals associated with such groups. Using a technology known in the United States as ‘Stingray’ or, more precisely, IMSI catcher surveillance equipment, police can impersonate a cellular tower and capture all the IMSI numbers within several kilometers of the catcher (.pdf source). The IMSIs, or International Mobile Subscriber Identity numbers, can be taken to a mobile phone provider and used to compel the subscriber data associated with the caught IMSI numbers. Thus, should one of these catchers be deployed by authorities ‘just in case’ an individual may find their personal information sent along to police on the basis of their physical presence during a legal public event. The capacity to acquire IMSI numbers en masse, combined with legal powers to compel subscriber information, creates the perfect framework for mass fishing expeditions based on where citizens are physically present.

Canadians may be uncomfortable with these propositions but immediately follow up with the position that such concerns are hyperbolic. Unfortunately, a brief reflection on the history of surveillance in Canada and present actions taken by our allies (depressingly) suggests that these concerns are practically banal. During the Vancouver Olympics authorities spent incredulous amounts of money on security, an element of which was allocated towards monitoring legal associations of citizens. As disclosed in memos there were no specific, credible, terror threats against the Vancouver Olympics. Despite these threat assessments, citizens who had specific political and economic concerns were routinely placed under surveillance. In effect, citizens conducting legal actions that might lead to disruptions of the games became targets of a surveillance apparatus designed to prevent the next Munich massacre. Surveillance and intelligence gathering did not solely focus on citizens involved in protesting government actions or others associated with the Olympics, but also their contacts, friends, students, former partners, and academic and professional acquaintances. Efforts were also made to recruit neighbours, friends, and acquaintances to spy on suspected activists, and the RCMP tried to legally shield itself from fulfilling FOI requests under the guise of operational security. Under lawful access legislation, the lines of inquiry could expand beyond police associations of people online – the aforementioned people communicating in Web forums – to using technologies like IMSI catchers to identify who is often nearby citizens-under-suspicion. Having coffee with a work friend who advocates for social justice on the weekends could lead to unsuspecting, and utterly uninvolved, citizens being stuck in the same net as their law-abiding colleagues who are caught in the web of actuarial justice.

Further, Canadian authorities have a history of monitoring those who are often the least-advantaged in our society. Consider that Military Intelligence places native communities under intense surveillance. As reported in the Globe and Mail, eight reports were generated in just 18 months. Surveillance was conducted to record Natives’ concerns surrounding new tax policies, potential to blockade Highway 401, and possible future protests, lobbying activities, and lawful associations. The group responsible for this surveillance was a counter-intelligence body charged with “identifying, investigating and countering threats to the security of the Canadian Forces and the Department of National Defence from foreign intelligence services, or from individuals/groups engaged of espionage, sabotage, subversion, terrorism, extremism or criminal activities.” At no point in the reports is it evident that native groups fell under the latter set of descriptors. With the introduction of lawful access legislation other authorities could have become involved in the surveillance and compelled telecommunications providers to disclose the contents of communications. Further, using previously mentioned tactics embedded in the legislation, subscriber information and who was communicating with who could have been determined without warrant or court oversight.

In short, it is entirely plausible that lawful access could be utilized to expand existing surveillance practices conducted by Canadian authorities. There are serious oversight concerns. Specifically, the Office of the Privacy Commissioner of Canada would be hamstrung in auditing the surveillance conducted and its motivations, and the legislation fails to extend the powers of that Office to accommodate the expansion of police powers. Further, where local or provincial police conduct surveillance, audit responsibilities would fall to provincial commissioners and they similarly lack the resources to mount full-scale audits of authorities’ proposed expansive surveillance practices. This position is forcefully stated the Information and Privacy Commissioner of Ontario, Dr. Ann Cavoukian. She poignantly writes that,

Canadians must press the federal government to publicly commit to enacting much-needed oversight legislation in tandem with any expansive surveillance measures. Intrusive proposals require, at the very least, matching legislative safeguards. The courts, affected individuals, future Parliaments and the public must be well informed about the scope, effectiveness and damaging negative effects of such intrusive powers.

The Need for Lawful Access

Over the past months I’ve had the opportunity to speak with counsellors, engineers, privacy officers, and policy staff for telecommunications service providers. This has ranged the gamut from ISPs to an ex-VoIP provider employee to webmasters responsible for large online environments to policy wonks for massive Internet-based corporations. The various parties I’ve spoken with have held varying opinions on the previously proposed lawful access legislation; everything from cost issues, to rights problems, to implementation woes, to issues of being identified as a ‘problem’ in the policing process.

All, however, have told me in almost every case that data is requested on exigent circumstances grounds it is, in fact, disclosed.

What, specifically, is the need driving the legislation then? Authorities have routinely insisted that lawful access powers would only be used when investigating the most serious of crimes (e.g. see this audio interview with the CBC’s ‘Spark’) but in other jurisdictions we regularly have seen expanded surveillance used to investigate less serious offences. For extensive documentation of such ‘expanded uses’, see Priest’s and Arkin’s Top Secret America: The Rise of the New American Surveillance State, allegations that the FBI conducted dragnet surveillance to trace bank robbers, claims that routine conversations lead individuals to be labeled as potential terrorists in government databases, inappropriate monitoring of hundreds of people each year, yearly monitoring of over 500,000 people’s communications records, or the usage of terror-based surveillance provisions to ensure children are registered in correct school districts. I cannot state emphatically enough: this is a very small sampling of how widely used lawful-access style legislation is used by our closest of close economic, political, and military allies. There is no reason that Canadian authorities won’t demonstrate the same types of behaviour.

British Columbia’s Information and Privacy Commissioner, Elizabeth Denham, has asserted that authorities have not demonstrated evidence that investigations have been thwarted under existing access powers. Authorities have failed to provide empirical data that reveal a clear and present need for enhanced powers contained in past, or forthcoming, lawful access legislation. Authorities have noted concerns with warranting processes and if these concerns are legitimate (insofar as they can be documented using empirical datasets) then perhaps Parliament should consider modifying the warranting process or increase resources so that warrants can be processed more rapidly. If, however, authorities are simply looking abroad and finding their power lacking in comparison – and cannot clearly outline why they need their compatriots’ powers to protect us from truly serious crimes – then they should not be granted expanded powers. Police and other authorities should not be permitted to infringe upon Canadians’ rights and further erode expectations of communicative privacy, associative privacy, or basic dignities on the basis of cross-jurisdictional envy.