After disappearing for an extended period of time – to the point that the Globe and Mail reported that the legislation was dead – the federal government’s lawful access legislation is back on the agenda. In response to the Globe and Mail’s piece, the Public Safety Minister stated that the government was not shelving the legislation and, in response to the Minister’s statements, Open Media renewed the campaign against the bill. What remains to be seen is just how ‘lively’ this agenda item really is; it’s unclear whether the legislation remains on a back burner or if the government is truly taking it up.
While the politics of lawful access have been taken up by other parties, I’ve been pouring through articles and ATIP requests related to existing and future policing powers in Canada. In this post I first (quickly) outline communications penetration in Canada, with a focus on how social media services are used. This will underscore just how widely Canadians use digitally-mediated communications systems and, by extension, how many Canadians may be affected by lawful access powers. I then draw from publicly accessible sources to outline how authorities presently monitor social media. Next, I turn to documents that have been released through federal access to information laws to explicate how the government envisions the ‘nuts and bolts’ of their lawful access legislation. This post concludes with a brief discussion of the kind of oversight that is most appropriate for the powers that the government is seeking.
Communications Penetration in Canada
Canadians are prolific users of communications services. Mobile penetration is incredibly high in Canada, with 78% of Canadian households having a mobile phone in 2010 and an increasingly large share of citizens dispensing with landlines in favor of mobiles. As of 2010, 78/100 homes had wireline broadband connections, 31/100 had mobile broadband connections, and there were 76 mobile subscriptions per 100 Canadians. Further, CRTC data shows that 25.83 million Canadians were mobile phone subscribers in 2010. In short, there are high levels of mobile and wireline connectivity in Canada, though there are still consumers who are served exclusively by dial-up Internet access.
Of course simply owning devices or paying for a service does not indicate how those devices or services are used. The Quorus Consulting Group’s report, 2011 Cell Phone Consumer Attitudes Study (.pdf), reveals how mobiles are used. From the report we learn that:
- 68% of mobile phone users send and receive texts, and 62% use mobile phones for taking pictures.
- 69% of smartphone users have apps that access social networks, instant messaging, or blogs, and roughly 60% of smartphone users access transit, mapping or navigational information. YouTube is also popular (56%).
In submissions to Industry Canada, the Communications, Energy and Paperworkers Union of Canada (.pdf) evaluated research on how many minutes Canadians talked on their mobile phones. They concluded that Canadians spoke on them for about 320 minutes/day in 2010. More recent research suggests that this number has declined in recent years but, regardless, Canadians still speak extensively on their mobiles. The decline in voice minutes, however, is strongly associated with an increase in Canadians sending text messages, which the Qourus study pegged at around 224 million/day. Mobile broadband access, through mobile phones, is also increasing.
We also know that Canadians are prolific users of Internet services. According to Ipsos Reid, as of 2011, 50% of Canadians and 60% of online Canadians have social networking profiles, with 45% of Canadians visiting a social networking site at least once/week, and 30% visiting daily. 86% of social network users in Canada have Facebook accounts, with Twitter (19%) and LinkedIn (14%) being the second and third most widely used services. According to comScore’s 2011 report, “It’s a Social World: Top 10 Need-to-Knows About Social Networking and Where It’s Headed,” Canadians spend roughly 7.7 hours a month on social networks; significantly, this includes about 470 minutes/month on Facebook, 20 minutes/month on Twitter, 16 minutes/month on LinkedIn, and 105 minutes/month on Tumblr. The same report confirms Ipsos Reid’s findings, indicating that Canadians of all ages are spending time on these networks. In looking at global usage patterns, comScore found that the following were the most common social network actions taken using mobile devices:
- Read posts from people the user knows personally
- Posted status updates
- Read posts from organizations/brands/events
- Read posts from public figures/celebrities
- Received a coupon, offer, or deal
- Used a social networking check-in service
While often not included as a social network, it is significant to recognize how much Canadians use Google’s YouTube service. comScore found that, as of December 2011, Canadians were (on average) viewing 271 videos per month. The same report reveals that Canadians spend an average of 45.3 hours on the Internet, as of Q4 of 2011.
Social Media Surveillance, Today
Over the past year I’ve identified a series of methods that authorities could use – and, internationally, are known are used – to monitor citizens’ digitally mediated communications. As examples, I’ve identified ways that subscriber information can be used for online tracking actions, raised awareness about how IMSI catchers could be used to track Canadians’ physical locations, and made available a chapter on deep packet inspection technologies that could be repurposed for law enforcement. I’ve also posted a report, prepared for the BCCLA, that looks at how lawful access powers are used (and abused) by our closest economic and military allies.
You may read – or skim – those pieces and come to the following conclusion: while valid concerns are raised, they don’t necessarily speak to how authorities are conducting surveillance right now. Why should Canadians be concerned in the absence of evidence of broad-based surveillance of the population right now? In what follows, I want to identify a few of the current surveillance practices that authorities use to monitor Canadians’ use of social media. Social media is chosen as a case because of how widely Canadians of all ages, ethnicities, and economic brackets participate in these electronic networks.
From documents released under federal access to information laws, we find that in 2010 (.pdf) the RCMP contacted ISPs for customer name and address information a total of 28,143 times. Such information is generally referred to as ‘subscriber data’ under the federal government’s proposed lawful access legislation. In 93.6% of cases, ISPs voluntarily provided information to authorities. For the remaining cases, ISPs demanded warrants (Pp. 216). While requests to social networking services aren’t included in ATIP documents I’m privy to, we can presume that (at the very least) accessing such information is something that authorities are interested in. This interest is confirmed when we turn to research prepared for Public Safety.
Richard Frank, Connie Cheng, and Vito Pun prepared a report for Public Safety that examined authorities’ intelligence gathering practices as related to social networking sites. The researchers conducted interviews with members of policing agencies as part of their methodology. Interviewed subjects uniformly indicated that “they now often begin investigations by opening up a web-browser and gathering online information.” Such information constitutes “open source” intelligence (OSINT). One of his respondents described OSINT as “about searching for information accessible to the public, but finding the information that the public does not know how to obtain, and analyzing it in a fashion the public doesn’t know how to analyze” (Pp. 12). My previous writings that address authorities’ contemporary means of surveilling the public are significantly confirmed by Frank et al. when they write that:
Taken together, the respondents painted the following picture of a typical OSINT gathering exercise. First, an individual, or group of individuals (referred to simply as a suspect hereon) is identified. The suspect’s profile is sought on multiple OSMS in the hopes that the suspect is available on at least one. The suspect’s network of friends, co-workers, collaborators and relatives is built based on his linkages to other individuals or organizations (including gangs) on OSMS. At the same time, information specific to the suspect is collected, such as phone numbers, aliases, age, city, and nearest intersection or addresses frequented. This information can be derived from GPS-coordinates embedded in photos, for example. Some individuals make this information private on the OSMS sites they frequent. Police officers and private investigators can attempt to befriend such individuals using fake accounts in order to try to infiltrate the network of the suspect. Fake accounts can be long-term efforts, with the goal of gaining enough connections with the suspect to earn their trust. Once sufficient information about the suspect is collected, the individual, or members of the network, can be charged by law enforcement (Pp. 12-3).
These means of collecting intelligence are supplemented by sometimes focusing “on the network of the suspect, including as girlfriends, family members, and close acquaintances … one respondent mentioned they will look for a suspect’s presence on genealogy sites because, according to his experience, offenders tend to have relatives who are also offenders” (Pp. 13). This is significant, insofar as those who are not necessarily of specific interest to the authorities can, nevertheless, be significantly spied upon. This research corresponds with earlier work I’ve done, where I stated that “[h]aving coffee with a work friend who advocates for social justice on the weekends could lead to unsuspecting, and utterly uninvolved, citizens being stuck in the same net as their law-abiding colleagues who are caught in the web of actuarial justice.” In short, being close to a potential suspect/criminal is sufficient to warrant police investigation, regardless of your own innocence.
Of course, subscriber data and related geolocational information also plays important roles in OSINT. The authors of the report for Public Safety found that:
the search has to be complimented by using as much specific information as possible, including phone numbers, street names, nearest intersections and/or nearest subway stations. According to the respondents who described this process, once the suspect has been identified on a single OSMS, new information can be learned which can then be utilized for further investigative purposes and to create a more detailed picture of the suspect and their network ( Pp. 14).
This finding confirms that, as visually represented in an infographic distributed by Open Media, authorities do – and will – draw on basic identifiers to subsequently develop broader understandings of suspects’ network of associations. While each individual data item may not be considered particular ‘private’ when they are drawn together they reveal an individual’s core biographical information.
While attention in the lawful access debate has prominently focused on large ISPs, such as Rogers, Bell, and Telus, social networks are recognized by Public Safety as a point of interest under the legislation. This becomes apparent when reading the December 2011 draft list of lawful access issues (.pdf), wherein the attending parties question who will be responsible for monitoring/intercepting cloud computing and social media platforms (Pp. 2). From the issues document, we can conclude that social media is on the regulatory, if not the legislative, agenda.
Social media’s situation on the regulatory agenda is unsurprising. Public Safety has concerns (.pdf) that requiring warrants for non-emergency situations would be problematic, on the basis that “It could limit the ability of police to access BSI [Basic Subscriber Information] in non-emergencies; It could undermine the ability of CSIS to access BSI; It could limit the ability of police to fulfil non-criminal, general policing duties such as returning stolen property or identifying next of kin after a traffic accident” (Pp. 267). We should note, however, that CSIS cannot locate any “[r]ecords related to consultations with law enforcement and justice officials that describe why obtaining a warrant for basic subscriber information would negatively impact the ability to carry out investigations and add another burden on the criminal justice system.”
From Frank et al., we learn that warrants and cross-border transmission of social networking information is seen as problematic by authorities. Specifically;
… popular sites like Twitter and Facebook are willing to provide access to the information of an account holder only when a search warrant is supplied. Facebook even has a guide for law enforcement personnel on how to request user information. Moreover, since most OSMS reside outside of Canada, mutual legal assistance treaty applications must be prepared to access legal information on targeted accounts for use in court. Respondents indicated that it can take as long as six months to receive requested information due to the processes involved between two countries. Further, respondents note that evidence collection from these services is a challenge. All evidence must be captured according to forensic standards: website content must be generated into a static PDF document, and screen shots must be captured in case of a discrepancy between the actual content layout and the PDF. All of this requires resources, time, and effort to properly process.
They do note that there is an exception to the rule of (relatively) incalcitrant behaviour, insofar as:
there are some social media sites that choose to aid in investigations by responding quickly to requests from law enforcement, even without a warrant, such as the Canadian social network site of one respondent. As stated by the respondent, “the police must have a reason for asking” so they usually will comply without a warrant (Pp. 14-5).
These reports and ATIP documents largely confirm that Canadian authorities are significantly invested in monitoring communications and activities that take place on social media platforms for policing and intelligence gathering processes. What we also learn, however, is that there are problems in conducting some of this surveillance. Specifically, access to subscriber information can be challenging when held by companies operating in foreign jurisdictions. Let’s now turn to how these surveillance processes might work after the lawful access legislation is passed.
Social Media Surveillance, Tomorrow
Public Safety is, as noted above, concerned about the impacts that warrants will have on authorities’ capacity to conduct surveillance. The key “problems” with warrants are as follows: it can take time to secure a warrant, with the often stated conclusion that this significantly hinders policing actions; they require a crime to have been committed, and thus limit access to information before charges/criminality are laid/identified. This latter point is especially concerning for CSIS. Their intelligence gathering mandate requires employees to chase down leads well-prior to certifiably knowing whether actionable intelligence will result from the collected information.
Given the existing problems that authorities have in accessing subscriber information from foreign social networks, how might such frictions be reduced in the future? Enhancing access to this information information would (likely) occur by combining subscriber-compulsion powers in bill C-30 with the increased data exchange powers associated with the US/Canada Perimeter Security proposals. Professor Wark notes that enabling cross-border law enforcement (.pdf) is a key ‘plank’ of the Perimeter Security proposals. Proposals specifically call for “informal” sharing of data (that accords with each nations’ respective laws) and integrated cross-national police intelligence teams working to collaboratively enable and enhance American and Canadian policing actions (Pp. 32-3). If warrantless access to subscriber data were legal under Canadian law we might see attempts to leverage Perimeter Security arrangements to reduce or eliminate the current delays in accessing subscriber data held by American social networking companies.
In looking at what Public Safety envisions for Canadian ISPs we can see just how quickly (.pdf) they might want social media companies to comply with Canadian laws. Per regulations that would follow the passage of the lawful access legislation, Canadian ISPs would be obligated “to provide, in written form, the name, address and other identifiers associated with the subscriber to a designated person as soon as feasible, but within two business days after having received the request for information. In exceptional circumstances, this information should be provided to the requesting police officer as soon as feasible but no longer than within 3o minutes” (Pp. 14). The alacrity at which ISPs would be obligated to respond is contrasted against the 2010 existing response speed (.pdf) of 13 days (Pp. 216).
Enhanced access to social network subscriber data would be accompanied by a low standard to legally access the information. Rather have having a reason to believe the information is needed to address a crime, authorities would simply need to have reasonable suspicion. David Fewer, Director of CIPPIC, has stated that reasonable suspicion functions as a kind of “spidey-sense standard” on the basis that, if authorities can conjure up a reason to suspect someone of a crime, they can thereafter justify the reasonableness of the suspicion and compel subscriber information from a service provider. In their legal analysis of lawful access legislation, the BCCLA recognizes that
Although the proposed new law explicitly limits secondary uses of subscriber information gathered under this power, it would allow law enforcement and intelligence agents to use the information without the individual’s knowledge for purposes “consistent with” the original purpose for which it was obtained. In the context of intelligence, there is no real limit on information gathering – all information about a suspect is potentially relevant. Once again, there is no after-the-fact notice provision ensuring that the subscribers in question are aware, let alone consent to, such uses (Pp. 34).
The limited protections individuals ‘enjoy’ around secretly collected subscriber data can have significant impacts for individual users of social networks and, more broadly, communities that form on these networks. As noted earlier, contemporary open source intelligence operations entail surveilling individuals who are not, themselves, presumed guilty of criminal malfeasance: their ‘crime’ is being associated with those who are so suspected. Thus, under the lens of intelligence gathering those who are merely proximate to suspects – and thus instrumentally useful to police – may have their subscriber information collected secretly and used for online tracking and association purposes, all without those individuals ever being the wiser.
It remains to be seen how, exactly, wiretap requirements would be applied to social networking services. In the 17 page regulations document prepared by Public Safety we see that their wiretap calculations are framed around the number of users and class/location of networking routers. In general, the government expects ISPs to provide fewer intercepts in rural areas and more in metropolitan areas. While such a calculation can be made for ISPs with physical infrastructure located across the country, it is unclear how this applies to companies such as Facebook, Google, and MSN Live. Section 3.2.7, on page 8 (.pdf), suggests that ISPs will be required to calculate interceptions – presuming that social networks are in the same class as email and VoIP providers – but, given the lack of clarity in the December 2011 agenda, this may be a point the government is still struggling with.
There are two dominant methods of ascertaining how many intercepts a TSP would have to conduct. The maximum possible global limit would be the number of subscribers divided by 5,000. As of June 2011, roughly 16.6 million Canadians were using Facebook. If we assume that number has neither shrunk nor grown, and that Facebook itself would be required to intercept communications for Canadian authorities, then the maximum global limit on Facebook interceptions would be 3,320. The second method of identifying the total number of intercepts a TSP must be able to perform is linked to its existing equipment and service locations; with these numbers many Canadian ISPs may enjoy a reduced (expected) maximum number of intercepts. It is unclear how, or whether, similar reductions would apply to social networking companies that lack this kind of geographically located capital investment.
Total numbers of wiretaps are dependent on subscribers on a per-service basis, and thus it is entirely reasonable to expect that Twitter, Microsoft, Rogers, Bell, and all other TSPs with more than 10,000 subscribers (those with under 10,000 subscribers will have a global limit of 2 possible interceptions) could be engaged in state-driven surveillance. Given the preponderance of Canadians using a large variety of services this opens the door for potentially tens of thousands of interceptions that could be conducted at any one time. Moreover, as more social networks gain prominence amongst savvy Canadian Internet users the effect will be to increase the potential amount of government surveillance: more interest in, say, Pintrest will correspond with greater global intercept maximums for the company. There are no such maximums for requesting subscriber data.
Thus, while there are challenges with getting subscriber and other information from American-based social media companies today, such frictions may diminish as Perimeter Security agreements are developed and implemented. Further, we can expect that subscriber information will be used with few restrictions in the surveillance landscape of tomorrow. Finally, if social networking services are indeed seen as distinct organizations that have to comply with Canadian intercept laws then the global maximum of interceptions could skyrocket.
Oversight and Surveillance
Canadian lawful access legislation threatens to radically expand the breadth of authorities’ existing powers, shifting from a framework where authorities must negotiate with telecommunications service providers to one where they can legally compel certain behaviours from these providers. The legislation’s proposed oversight features are weak and have been criticized by Canada’s privacy commissioners, with the federal commissioner noting that it lacks resources to conduct audits and provincial commissioners stating that they often lack the power to monitor provincial and municipal authorities’ actions (e.g. see the letter that P.E.I.’s Information and Privacy Commissioner sent to Public Safety (.pdf), Pp. 44). The Deputy Minister of Public Safety, William V. Baker, responded to the P.E.I. Commissioner’s concerns by writing that,
The lack of consistent mandates with regards to audit powers for provincial privacy commissioners is an unfortunate challenge. To address this issue in part, former Bill C-52 would have called attention to this inconsistency by requiring the Privacy Commissioner of Canada to detail annually the sometimes limited extent of powers of provincial officers to conduct audits similar to those referred to in s. 20(4) of the former Bill (Pp. 49).
To be frank, identifying deficits in provincial officers’ powers does little to improve Canadians’ visibility into the surveillance practices of their governments. Internal documents from Public Safety indicate a relative callousness for the federal commissioner’s similar lack of resources, with an analyst writing
In terms of resources, the OPC does not receive additional funding every time a government department or agency implements a program that will be subject to OPC review. It is up to every department to determine how best to allocate their resources (Pp. 241).
The analyst’s seemingly glib response to the federal commissioner’s concerns seems strange in the face of Canadians’ opposition to the legislation while also indicating the unwillingness of Public Safety to resource adequate oversight. The realpolitik, in other words, suggests that any claims that Canadians’ privacy will be protected and that the government is committed to strong audits are more rhetorical than actual.
Still, what might assuage some of the concerns raised by advocates, academics, and the Canadian public more generally? One approach is a detailed auditing regime that a new Commissioner would be required to oversee; rather than impose these responsibilities on already overburdened commissioners an Interception of Communications or Surveillance Commissioner could be created. Similar Commissioners exist in the UK, today.
This new Commissioner could create an audit framework for lawful access by modifying suggestions from the EU’s Article 29 Working Group. At least the following could be included in the audit:
- Number of requests made throughout the year, segmented by month;
- Number of requests made throughout the year, per province by month;
- Number of requests made throughout the year, divided between federal, provincial, and municipal requests by month;
- User data being accessed, containing a delimited series of predefined fields;
- Traffic data being accessed, containing a delimited series of predefined fields;
- Traffic content being accessed, containing a delimited series of predefined fields that indicate the kind of traffic being intercepted/accessed;
- Number of requests made to each communications provider in Canada, as well as number of requests that were responded to, both in a by month format;
- A code associated with each accessing party, along with the number of times each party has requested either access to, interception of, or preservation of data by month;
- Judiciary code that identifies which judicial authority authorized the usage of surveillance powers;
- Request type (e.g. exigent circumstances, interception, subscriber information, data preservation, etc.) along with whether the information led to a prosecution and, where a prosecution was made, the class of the prosecution.
With this information in hand, and made public each year in a report to Parliament, the Canadian public could learn about the surveillance actions that authorities were conducting. The report should include qualitative analysis of failures – identifying organizations and kinds of errors – as well as proposed fixes. In a subsequent report, tabled perhaps 6 months later, the Interception/Surveillance Commissioner would identify whether errors had been remedied. Such a Commissioner would need to be empowered to legally demand that errors were resolved and with a capacity to impose strong consequences on government bodies that did not fix the identified problems. In the case of companies failing in their due diligence – perhaps providing interception access without first receiving requisite legal documents – then they should similarly experience the wrath of the Commissioner, perhaps in the form of publicly identifying companies who illegally enabled the interceptions.
The Commissioner should also be empowered to notify Canadians who had their subscriber information captured by authorities that their information was collected if those Canadians were not targets of legal action. This would personify the yearly reports while enabling Canadians to protest or bring claim against the government when access to subscriber information was clearly improper or unnecessary. Without a right of notification it will be impossible for the citizenry to contextualize what it means when the state conducts widescale surveillance. Further, without such a right most Canadians will presume that those spied upon were guilty, or suspected of being guilty, or some offence. The right of notification would thus operate as a kind of limiting condition, insofar as it should limit blasé uses of compulsion powers: if Canadians learn that widescale, inappropriate, and unnecessary spying is occurring then the responsible government would subsequently ‘enjoy’ being the subject of investigations and targeted by front page national news stories.
Establishing a Commissioner to oversee how lawful access powers are used, as well as a right of notification, will not prevent or stop misuses of powers under lawful access. Combined, however, these provisions could limit the harms that authorities might otherwise commit. Given how widely Canadians use social media services, and the degree to which these services will fall under surveillance, it is imperative that Canadians understand how their communications networks are being surveilled by government. Creating a Commissioner that was empowered to watch the watchers would only help to protect Canadians’ rights and is a (minimally) proportionate response to such significant expansions in state surveillance capabilities.