Technology, Thoughts & Trinkets

Touring the digital through type

Category: Mobiles (page 2 of 10)

Canada’s National Security Consultation: Digital Anonymity & Subscriber Identification Revisited… Yet Again

Phone by Any & Carrie Coleman

Phone by Any & Carrie Coleman (CC BY-NC-ND 2.0) https://flic.kr/p/4jtzjb

Last month, Public Safety Canada followed through on commitments to review and consult on Canada’s national security framework. The process reviews powers that were passed into law following the passage of Bill C-51, Canada’s recent controversial anti-terrorism overhaul, as well as invite a broader debate about Canada’s security apparatus. While many consultation processes have explored expansions of Canada’s national security framework, the current consultation constitutes the first modern day attempt to explore Canada’s national security excesses and deficiencies. Unfortunately, the framing of the consultation demonstrates minimal direct regard for privacy and civil liberties because it is primarily preoccupied with defending the existing security framework while introducing a range of additional intrusive powers. Such powers include some that have been soundly rejected by the Canadian public as drawing the wrong balance between digital privacy and law enforcement objectives, and heavily criticized by legal experts as well as by all of Canada’s federal and provincial privacy commissioners

The government has framed the discussion in two constituent documents, a National Security Green Paper and an accompanying Background Document. The government’s framings of the issues are highly deficient. Specifically, the consultation documents make little attempt to explain the privacy and civil liberties implications that can result from the contemplated powers. And while the government is open to suggestions on privacy and civil liberties-enhancing measures, few such proposals are explored in the document itself. Moreover, key commitments, such as the need to impose judicial control over Canada’s foreign intelligence agency (CSE) and regulate the agency’s expansive metadata surveillance activities, are neither presented nor discussed (although the government has mentioned independently that it still hopes to introduce such reforms). The consultation documents also fail to provide detailed suggestions for improving government accountability and transparency surrounding state agencies’ use of already-existent surveillance and investigative tools. 

In light of these deficiencies, we will be discussing a number of the consultation document’s problematic elements in a series of posts, beginning with the government’s reincarnation of a highly controversial telecommunication subscriber identification power.

Continue reading

IMSI Catcher Report Calls for Transparency, Proportionality, and Minimization Policies

imsi-catcher-coverThe Citizen Lab and CIPPIC released a report, Gone Opaque? An Analysis of Hypothetical IMSI Catcher Overuse in Canada, which examined the use of devices that are commonly referred to as ‘cell site simulators’, ‘IMSI Catchers’, ‘Digital Analyzers’, or ‘Mobile Device Identifiers’, and under brand names such as ‘Stingray’, DRTBOX, and ‘Hailstorm’. IMSI Catchers are a class of of surveillance devices used by Canadian state agencies. They enable state agencies to intercept communications from mobile devices and are principally used to identify otherwise anonymous individuals associated with a mobile device and track them.

Though these devices are not new, the ubiquity of contemporary mobile devices, coupled with the decreasing costs of IMSI Catchers themselves, has led to an increase in the frequency and scope of these devices’ use. Their intrusive nature, as combined with surreptitious and uncontrolled uses, pose an insidious threat to privacy.

This report investigates the surveillance capabilities of IMSI Catchers, efforts by states to prevent information relating to IMSI Catchers from entering the public record, and the legal and policy frameworks that govern the use of these devices. The report principally focuses on Canadian agencies but, to do so, draws comparative examples from other jurisdictions. The report concludes with a series of recommended transparency and control mechanisms that are designed to properly contain the use of the devices and temper their more intrusive features.

The report is structured across four sections:

  • Section One provides an overview of the technical capabilities of IMSI Catchers.
  • Section Two focuses on civil society and journalists’ efforts to render transparent how IMSI Catchers are used.
  • Section Three examines the regulation of IMSI Catchers and avenues towards lawful regulation of their use.
  • Section Four sets out best practices that should be incorporated into a framework governing IMSI Catcher use.

In more detail, Section One provides an overview of the technical capabilities of IMSI Catchers. The report principally focuses on how the devices can be used in ‘identification mode’, where they intercept digital numbers that are unique to mobile devices. IMSI Catchers exploit weaknesses in the design of mobile communications systems to induce mobile devices to transmit these unique numbers that, typically, are only sent to telecommunications carriers. From a privacy perspective, the report argues that IMSI Catchers are inherently intrusive: by design, they capture mobile identifiers from all phones in range, leading to significant collateral privacy impact that can affect the privacy of thousands of non-targets for each individual legitimate target.

Section Two focuses on transparency efforts associated with IMSI Catchers, and how states have routinely sought to prevent information about IMSI Catchers from reaching the public record. After highlighting some of the hard-fought successes to bring documents to the public record in the United States, in particular, the report examines comparable efforts to uncover IMSI Catchers’ use in Canada and these efforts’ comparative successes and failures. In doing so, a case analysis is conducted where the Toronto Police Services Board successfully (and inappropriately) prevented documents from becoming public. The report critiques a number of the justifications that are frequently advanced by state agencies seeking to prevent information related to IMSI Catchers from becoming public. Furthermore, it argues that providing some details on IMSI Catcher use will not undermine the investigative utility of the devices, and that there is substantial public interest that should compel authorities to disclose documents regardless of whether they affect investigative utility. Furthermore, disclosure of such documents is needed to evaluate whether the possession of the devices is inconsistent with the Radiocommunications Act, the Privacy Act, and perhaps the Charter. Equally seriously, refusing to officially acknowledge IMSI Catcher use in the face of a growing body of documents demonstrating their use threatens to undermine public confidence that the devices are being used lawfully and in a manner that is proportionate and minimized their impact on non-targeted members of the public.

Section Three examines the regulation of IMSI Catchers and avenues towards the lawful authorization of their use. After surveying German and American regulatory processes to understand gaps in the Canadian context, the report explores Canada’s ambitious statutory framework for electronic surveillance. Doing so explicates the legal avenues state agencies can exercise to authorize their use of IMSI Catchers. This section reveals how a range of overlapping powers might apply to IMSI Catcher authorization, and that this ambiguity might let agencies deploy IMSI Catchers using powers offering minimal privacy protection. The section concludes by examining the Charter implications of IMSI Catcher uses, and rejects possible justifications of IMSI Catcher deployment which lack prior judicial authorization. A series of safeguards and conditions on the use of IMSI Catchers, such that their operation does not amount to a constitutionally impermissible search, wraps up this section.

Section Four sets out best practices that should be incorporated into a framework governing IMSI Catcher use. The section recommends that IMSI Catcher use by state agencies be subject to comprehensive transparency mechanisms, including annual statistical reporting on use, an individual notice requirement, and compliance with standard reporting obligations typically applied to radio devices owned by state agencies. It further argues for the criminalization of unauthorized uses of IMSI Catchers. Such authorization should be subject to a strict regime that is linked with demonstrating their investigative necessity, including a “serious crimes” provision that limits IMSI Catchers’ use to investigate only the most severe offences. In addition to proportionality measures, targeting and minimization procedures should be imposed to limit the collateral impact of deployment on innocent third-parties.

The report’s Conclusion highlights core findings and also emphasizes the importance of privacy in liberal democratic societies.

We hope that this report will contribute to the growing discussion and debate concerning how, and the appropriateness of, state agencies’ use of IMSI Catchers. Ultimately, it is in the government’s and citizens’ best interest for state agencies to be more transparent and accountable for how they use IMSI Catchers in the course of conducting investigations.

DOWNLOAD FULL REPORT (English) // DOWNLOAD EXECUTIVE SUMMARY (French)

Project Support

The authors would like to graciously thank a number of sources whose generous funding made this report possible: the Open Society Foundation, Frederick Ghahramani, a Social Sciences and Humanities Research Council (SSHRC) Postdoctoral Fellowship Award, and the Munk School of Global Affairs at the University of Toronto. Furthermore, the authors are grateful for in-depth substantive input on the December 2015 draft of this document from Professor Ron Deibert and Sarah McKune, to Adrian Dabrowski and to participants of Citizen Lab Summer Institute 2016 for key input on technical questions raised by this paper and to Lex Gill for extensive substantive additions and edits. Responsibility for any errors or omissions remains with the authors.

Authors

Christopher Parsons

Dr. Christopher Parsons received his Bachelor’s and Master’s degrees from the University of Guelph, and his Ph.D from the University of Victoria. He is currently the Managing Director of the Telecom Transparency Project and a Research Associate at the Citizen Lab, in the Munk School of Global Affairs.

Tamir Israel

Tamir is staff lawyer with the Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic (CIPPIC) at the University of Ottawa Faculty of Law, where he conducts research and advocacy on various digital rights-related topics, with a focus on online privacy and anonymity, net neutrality, intellectual property, intermediary liability, spam, e-commerce, and consumer protection generally.

Public Submission on IMSI Catchers

5047039173_36fbdc9523_oOn October 14, 2015 the Pivot Legal Society in British Columbia filed a complaint with the Office of the Information and Privacy Commissioner (OIPC) of British Columbia concerning the Vancouver Police Department’s (VPD) refusal to disclose any documents concerning the department’s use of IMSI Catchers. IMSI Catchers, also known as Cell Site Simulators or Mobile Device Identifiers, are designed to impersonate cellular telecommunications towers. The devices are used to collect identifiers and potentially content transmitted from mobile phones in the device’s vicinity. In response to Pivot Legal Society’s complain Tamir Israel (from CIPPIC) l and I intervened on behalf of Open Media to argue that VPD ought to be compelled to disclose documents they possessed concerning their use of IMSI Catchers.

Our intervention begins by outlining how IMSI Catchers technically function. Next, we demonstrate how the test for investigative necessity advanced by VPD simply does not apply to responsive records in light of the significant general information regarding IMSI Catcher use. Finally, we argue that even if disclosure of responsive records will, to some degree, undermine the utility of IMSI Catchers as an investigative tool, disclosure must still occur. Confirmation of IMSI Catcher use is a necessary precursor to informed public debate and to the proper legal constraint of an invasive surveillance tool and is therefore in the public interest.

Download the Intervention (Alternate Link)

Authors

Tamir Israel

Tamir is staff lawyer with the Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic (CIPPIC) at the University of Ottawa Faculty of Law, where he conducts research and advocacy on various digital rights-related topics, with a focus on online privacy and anonymity, net neutrality, intellectual property, intermediary liability, spam, e-commerce, and consumer protection generally.

Christopher Parsons

Dr. Christopher Parsons received his Bachelor’s and Master’s degrees from the University of Guelph, and his Ph.D from the University of Victoria. He is currently the Managing Director of the Telecom Transparency Project and a Postdoctoral Fellow at the Citizen Lab, in the Munk School of Global Affairs.

Photo credit: Mobile Phone Tower by Michael Coghlan (CC BY-SA 2.0) https://flic.kr/p/8FZoUM

The Limits of Tower Dump Privacy Protections in Canada

290822052_cccfe6d6ee_oOn January 14, 2016, the Ontario Superior Court ruled that “tower dumps” – the mass release of data collected by cellphone towers at the request of law enforcement agencies – violate privacy rights under the Canadian Charter of Rights and Freedoms. In response, Justice Sproat outlined a series of guidelines for authorities to adhere to when requesting tower dump warrants in the future.

I wrote about this case for PEN Canada. I began by summarizing the issue of the case and then proceeded to outline some of the highlights of Justice Sproat’s decision. The conclusion of the article focuses on the limits of that decision: it does not promote statutory reporting of tower dumps and thus Canadians will not learn how often such requests are made; it does not require notifying those affected by tower dumps; it does not mean Canadians will know if data collected in a tower dump is used in a subsequent process against them. Finally, the guidelines are not precedent-setting and so do not represent binding obligations on authorities requesting the relevant production orders.

Read the Article

Photo credit: cell tower next to the casita by dasroofless (CC BY-NC-ND 2.0) https://flic.kr/p/rGxgj

« Older posts Newer posts »