Lawful Access Returns: Online Harms and Warrantless Access to Subscriber and Transmission Data

zombies behind shabby door
Photo by cottonbro on

For the better part of twenty years, law enforcement agencies in Canada have sought warrantless access to subscriber data that is held by telecommunications service providers and other organizations. The rationale has been that some baseline digital identifiers are needed to open investigations into alleged harms or criminal activities that have a digital nexus. Only once these identifiers are in hand can an investigation bloom. However, due to the time that it takes to obtain a relevant court order, as well as challenges in satisfying a judge or justice that there is a legitimate need to obtain these identifiers in the first place, these same agencies recurrently assert that an initial set of seed digital identifiers should be disclosed to officers absent a court order.

The Government of Canada has, once more, raised the prospect of law enforcement officers obtaining subscriber or transmission data without warrant when undertaking activities intended to “enhance efforts to curb child pornography.” This time, the argument that such information should be made available is in the context of combatting online harms. The government has heard that companies should include basic subscriber or transmission data in their child pornography-related reports to law enforcement, with the effect of law enforcement agencies getting around the need to obtain a warrant prior to receiving this information.

In this post I start by discussing the context in which this proposal to obtain information without warrant has been raised, as well as why subscriber and transmission data can be deeply revelatory. With that out of the way, I outline a series of challenges that government agencies regularly experience but which tend not to be publicly acknowledged in the warrantless access debates associated with child sexual abuse material (CSAM). It is only with this broader context and awareness of the challenges facing government agencies in mind that it becomes apparent that warrantless access to subscriber or transmission data cannot ‘solve’ the issues faced by agencies which are responsible for investigating CSAM offences. To develop appropriate policy solutions, then, we must begin by acknowledging all of the current obstacles to investigating these offences. Only then can we hope to develop proportionate policy solutions.

Zombie Policy Proposals

Liberal and Conservative governments alike have regularly introduced lawful access legislation in Canada over the past several decades. This legislation has tended to include provisions that would let law enforcement agencies obtain access to subscriber data without warrant.1 Suffice to say that this policy issue has come up regularly and became an even more important issue to the government following a 2014 Supreme Court decision. The 2014 decision in Spencer found that a method that government agencies had been using to obtain subscriber information without warrant —namely, the exploitation of ‘lawful authority’ language in Canada’s commercial privacy legislation2— unreasonably infringed upon Canadians’ rights and freedoms. Post-Spencer, police agencies were required to obtain a court order if they were to compel private companies to disclose subscriber information.

Ever since Spencer there have been efforts to find ways of obtaining some information without a court order. The rationales are often that, without such information, crimes associated with CSAM cannot or will not be investigated, and that it simply takes too long to obtain court orders for subscriber information in a way that does not unduly burden policing agencies. When it comes to federal agencies one of the reasons they typically seek basic subscriber information, in the context of CSAM investigations, is to determine which local policing force should open investigations linked with CSAM that has been disclosed to federal authorities from private companies or organizations.

Revelatory Nature of Subscriber and Transmission Data

Arguments from the Canadian government, as well as other western governments, in favour of obtaining access to basic subscriber information (BSI) revolve around the idea that such information is not, in and of itself, particularly revelatory insofar as it does not lead to precise determinations of a person’s private life or daily habits. If the pandemic has made anything clear it is that our daily lives are intricately and intractably entwined with the activities we undertake online.

Basic subscriber and transmission information can be used to determine the websites you’ve visited, the pseudonyms that you might have used, or content that you’ve been reading. As such, this information is by definition quite revelatory. As noted by the Electronic Frontier Foundation in their analysis of a cross border surveillance treaty which Canada helped to negotiate, and is expected to sign:

…subscriber information such as a person’s address and telephone number, under certain conditions, is frequently used by police to uncover people’s identities and link them to specific online activities that reveal details of their private lives. Disclosing the identity of people posting anonymously exposes intimate details of individuals’ private lives.

Transmission data, similarly, can have equivalent revelatory potentials when the digital identifiers are used to uncover a person’s identities and online activities. To be clear, there are gradients of information that are more or less revealing. However, in Canada past discussions that focused on providing law enforcement agencies with less revealing information to facilitate the start of CSAM investigations were quickly hijacked by local law enforcement agencies, which insisted that these powers be available to facilitate investigations into all criminal matters as well as non-criminal events to which police respond.

Combatting CSAM in Canada

Canadian law enforcement agencies do have significant and ongoing challenges when it comes to investigating the alleged production, distribution, reception, or use of CSAM. However, the full context of these challenges are often poorly presented to the public with the effect of obscuring potential policy solutions to the problems at hand. Some of these less-public challenges include:

  1. The number of CSAM reports that law enforcement agencies receive can be (and often are) overwhelming. Social media services, Internet platforms, and other intermediaries tend to have automated systems to monitor for the presence of CSAM content. When such content is detected, companies will generate a report that is sent to a jurisdictionally appropriate government or government-adjacent body that is responsible for intaking these reports. The sheer volume of these automated notices cannot be ignored; companies that have developed and implemented high-quality assessment and reporting capabilities, such as Facebook, can report tens of millions of instances of CSAM each year. This flood of information can be challenging for intake organizations and agencies to manage given their resource limitations, and the volume creates a challenge for law enforcement agencies to subsequently pursue investigations given their own resourcing limitations.
  2. The information received by law enforcement can sometimes be stale. After a major CSAM-related law enforcement investigation, the agency or agencies involved in the investigation may have access to servers that hosted CSAM and facilitated its distribution. Those servers may include digital identifiers, such as IP addresses or other forensic information, which link a user, an account, or the distribution or reception of CSAM materials to individuals in various countries. Such identifiers are commonly shared with relevant law enforcement agencies, so that those individuals can be pursued by their domestic law enforcement bodies. However, identifiers can be quite stale insofar as domestic telecommunications companies or online service providers may not have a record of which subscriber or user was assigned, or used, a given IP address at the time of the alleged offence. The result is that a bulk of identifiers can be received by Canadian agencies but they may be unable to use those identifiers to open investigations.
  3. Acting on received data can take quite some time. Because of the sheer volume of reports that are provided to centralized federal agencies that lead the CSAM file, and inadequate funding to these same agencies to address this serious criminal offence, it can often take quite some time to actually act on received information. Acting, in this case, usually involves seeking information from communications services providers (CSPs) that can link identifiers to particular subscribers, with the information from CSPs then passed to local agencies that are responsible for launching a full-scale investigation.3 However, because of the delay in contacting CSPs they may not still possess a record of which subscriber used a given IP address or other identifier at a given time, or even a record of the subscriber if their account has been deleted.4 This can have the effect of making it challenging to advance an investigation. Furthermore, under Canadian law CSPs are required to delete information when they no longer have a business reason to retain it, which is an essential component of Canadian commercial privacy law. However, this means that CSPs cannot indefinitely retain information. Thus, government agencies must make timely requests for relevant subscriber or transmission data and then hope that the CSP(s) in question still possess it.
  4. Production orders may request large volumes of information from CSPs. Following Spencer it has been increasingly common for law enforcement agencies to request relatively large volumes of information at the same time as when they are seeking subscriber data. The rationale is that if a court order is being sought then, ideally, as much information as possible should be obtained. This has the effect, however, of slowing down the rate at which orders are responded to; while fulfilling a basic subscriber information request might be relatively quick, a more comprehensive collection of all relevant records associated with a given subscriber can take quite a bit of time. The longer it takes to obtain the relevant records, the longer it takes for federal authorities to transmit relevant information to local police to open investigations.
  5. Local law enforcement may decline to take up an investigation. Even should the federal agencies manage to obtain subscriber information that links a given IP address or other digital identifier to a specific CSP’s subscriber, the local agency to which they send this information may decline to open an investigation. Indeed, because of the high volume of these disclosures from federal to local or provincial law enforcement, it may be seen as functionally impossible for local or provincial law enforcement agencies to investigate many of these alleged criminal acts due to resourcing limitations or a lack of technological expertise to carry out the investigations.

In addition to the aforementioned challenges in simply obtaining sufficient information for local authorities to decide if they want to open an investigation, the debates over warrantless access to subscriber or transmission data are linked to a history of perceived government overreaches. As an example, in 2017, when the government was having discussions with members of civil society and the business community concerning the conditions under which some information might be disclosed to advance CSAM investigations, there was a shift to suggest that the same powers and disclosures were needed not just for investigating CSAM-related crimes but, also, for comparatively minor offences or even non-criminal events (e.g., returning a person’s mobile phone to them). Bait and switch maneuvers like this have resulted in stakeholders generally perceiving the government’s proposals as disingenuous efforts to obtain warrantless access to subscriber information and transmission data, for crimes and offences writ large.

Furthermore, it must be recognized that the source of this zombie-like policy and legal debate concerning warrantless access to subscriber information stems from a relatively secretive arrangement that was concocted between Canadian telecommunications executives and the Canadian government. This agreement had the effect of creatively interpreting commercial privacy legislation to authorize Charter-violating disclosures of subscriber information in the first place. To put it bluntly, this ‘debate’ is meant (from the government’s point of view) to return to a situation where government agencies can once more obtain information in a manner that the Supreme Court of Canada has found to violate Canadian residents’ Charter rights.

All of which is to say: the challenges facing law enforcement agencies are much more extensive that typically framed to the public. Further, there is a history of government agencies calling for a delimited kind of information sharing and then, in a bait and switch, demanding that the limitations largely be removed. Finally the very origin of the ‘debate’ over warrantless access to subscriber information and transmission data is linked to authorities having to now obtain judicial consent to get subscriber information after they had previously infringed Canadians’ Charter rights and freedoms for over a decade by obtaining such information without judicial supervision.

Warrantless Access to Subscriber and Transmission Data Will Not Solve the CSAM Problem

There are Canadians that are actively involved in illegal activities, such as producing, distributing, transmitting, and using CSAM. This is not a new problem, however, and even during the pre-Spencer era authorities were overwhelmed and regularly unable to investigate all cases of alleged criminal behaviour associated with CSAM.

Many of the aforementioned challenges facing law enforcement bodies’ investigation of CSAM criminal acts are linked to a failure to adequately resource law enforcement. In a democratic society we expect law enforcement agencies and officers to adhere to the rule of law and seek appropriate judicial approval prior to infringing upon residents’ rights and freedoms, while at the same time expecting law enforcement to prioritize investigations into the worst crimes in society.

As a Canadian public we recognize that CSAM-related offences are amongst the most heinous of crimes. Canadian governments at the provincial and federal levels, however, have not adequately resourced and staffed relevant agencies to undertake the preliminary processes to obtain production orders for subscriber and transmission data, nor have they adequately resourced or directed local authorities to prioritize CSAM-related crimes. We are already in a situation where policing agencies are awash in potential CSAM-related criminal offences to investigate: ensuring that they have even more data will not clearly ‘solve’ the existing under-resourcing problems.

Law enforcement agencies across Canada, and North America more generally, regularly suffer from a lack of staff to investigate digitally-facilitated criminal activities. Speaking with officers and sworn members, it is quickly apparent that they know that they need help, and they regularly call for it. Canadian politicians, and especially those controlling purse strings, are responsible for deciding how budgets are drafted and where money gets spent. It is up to them, first and foremost, to finance and staff agencies tasked with combatting CSAM. Nothing in the Government of Canada’s recent online harms consultation raises this as a need and, instead, suggests that ensuring that federal agencies have access to more data will address what is, in fact, a serious resourcing need.

If we are to address the serious ills of CSAM then we must address the systemic challenges facing the policing community in its efforts to investigate CSAM offences in Canada. These challenges should not be cast as ‘the Charter gets in the way’ but, instead, that ‘more resources are needed to address serious crimes in a Charter-compliant way’. The government must commit to this latter route, and demonstrate an openness to genuinely debate on how to address ongoing systemic challenges facing the investigation and prosecution of individuals alleged to have committed CSAM-related offences. Until it does so, the government’s calls for warrantless access to subscriber information or transmission data should be treated with skepticism and caution, and with the anticipation that we are witnessing just one more bait and switch maneuver.

  1. If you’re interested in some of that history, I encourage you to read a chapter I had published in 2015 that was entitled, “Stuck on the Agenda: Drawing Lessons from the Stagnation of “Lawful Access” Legislation in Canada”. ↩︎
  2. See 7(3)(c.1) in PIPEDA ↩︎
  3. Historically, CSPs have focused on telecommunications providers, such as Bell, Telus, or Rogers, but increasingly the scope has expanded to include platform companies such as Facebook, Google, Apple, or Amazon. ↩︎
  4. It is common practice for some CSPs, an in particular social networking companies, to terminate individuals’ accounts should the account be used to distribute CSAM or engage in other child-related harms. ↩︎