Technology

The Limits of Tower Dump Privacy Protections in Canada

/ Christopher Parsons

290822052_cccfe6d6ee_oOn January 14, 2016, the Ontario Superior Court ruled that “tower dumps” – the mass release of data collected by cellphone towers at the request of law enforcement agencies – violate privacy rights under the Canadian Charter of Rights and Freedoms. In response, Justice Sproat outlined a series of guidelines for authorities to adhere to when requesting tower dump warrants in the future.

I wrote about this case for PEN Canada. I began by summarizing the issue of the case and then proceeded to outline some of the highlights of Justice Sproat’s decision. The conclusion of the article focuses on the limits of that decision: it does not promote statutory reporting of tower dumps and thus Canadians will not learn how often such requests are made; it does not require notifying those affected by tower dumps; it does not mean Canadians will know if data collected in a tower dump is used in a subsequent process against them. Finally, the guidelines are not precedent-setting and so do not represent binding obligations on authorities requesting the relevant production orders.

Read the Article [NOTE: PEN Canada website no longer contains this article — see it, below]

The Limits of Tower Dump Privacy Protections

By Christopher Parsons

On January 14, 2016, the Ontario Superior Court ruled that “tower dumps” – the mass release of data collected by cellphone towers at the request of law enforcement agencies – violate privacy rights under the Canadian Charter of Rights and Freedoms. Christopher Parsons is a postdoctoral fellow and managing director of the telecom transparency project at Citizen Lab, Munk School of Global Affairs, at the University of Toronto. Read on for his break-down of this decision and its limits.

The Limits of Tower Dump Privacy Protections

When travelling with your mobile phone it routinely — often a few times second — communicates with the neighbouring cellular towers so that it can send, or receive, communications. Each such communication will geolocate the mobile device and send unique identifying information.

Authorities use production orders to compel telecommunications companies to disclose mobile tower-related retained data. Data from these so-called ‘tower dump warrants’ can be used to identify persons suspected of committing a crime. But they can also result in signification infringements of Canadians’ privacy because of the sheer volume of information that can be disclosed, which includes affected persons’ subscriber information and billing records. It was exactly this issue of over breadth that led TELUS and Rogers to challenge a tower dump order for an aggregate total of 43,000 persons’ information. The challenge was finally decided in January of 2016.[1]

Decision Highlights

Justice Sproat declared that the Peel Regional Police’s production orders “authorized unreasonable searches and so breached the s. 8 Charter rights of the Rogers and Telus subscribers.” He also outlined the following guidelines for authorities to adhere to when requesting tower dump warrants in the future:

  1. Provide a statement or explanation that demonstrates the officer seeking the order is aware of the principles of incrementalism and minimal intrusion, and tailored the requested order with that in mind.
  2. Explain why all the named locations or cell towers, and all the requested date and time parameters, are relevant to the investigation.
  3. Explain why all the types of records sought are relevant.
  4. Identify details or parameters which could be used to target the production order to conduct narrower searches and produce fewer records.
  5. Request a report based on the specific data instead of requesting the underlying data itself.
  6. Justify any requests for underlying data, when it is requested.
  7. Confirm that the types and amounts of data being requested can be meaningfully reviewed.

Justice Sproat declined to prohibit authorities from requesting ‘large’ amounts of data on the basis that the authorities and authorizing judge alike may be uncertain of the data required to conduct an investigation. He also declined to offer guidelines addressing how long authorities could retain data provided by telecommunications companies; legislatures, not courts, had to make that decision. Moreover, he maintained that legislatures, not courts, had to determine whether tower dumps be ‘last resort’ investigative techniques.

Importantly, the guidance Justice Sproat provided does not set precedent. As such, the guidelines are not binding obligations on authorities requesting production orders.

Sproat’s Limitations

The decision may limit authorities’ request for Canadians’ personal information. Such narrowed targeting will constitute a victory for Canadians and their privacy interests.

The decision and guidelines will not improve Canadians’ understanding of how often such requests are actually made. Authorities needn’t publicly report on how often, or to what effect, tower dump orders are useful for investigating or resolving criminal incidents. Moreover, those affected by tower dumps will not be notified of their data being collected by authorities unless charged with a crime. And finally, Canadians will not know if their data is used, later, for purposes unrelated to the original tower dump investigation: the unique identifiers and billing information might, as an example, be subsequently used to identify persons later detected at public events or protests by combining newly collected surveillance data with that previously disclosed by telecommunications providers.

So while Canadians have enjoyed a significant victory concerning their privacy rights they are no more aware of actually being affected by such requests unless charged with a crime. And this data might ultimately be used against them in subsequent investigations or government surveillance. Consequently, Canadians are still left to trust, without being able to verify, that our personal information is being accessed and retained appropriately by authorities. This privacy victory, in other words, has not come with an ounce of real transparency for the public at large.

Citations

[1] R. v. Rogers Communications, 2016, ONSC 70.

Photo credit: cell tower next to the casita by dasroofless (CC BY-NC-ND 2.0) https://flic.kr/p/rGxgj

Why We Need to Reevaluate How We Share Intelligence Data With Allies

/ Christopher Parsons

OLYMPUS DIGITAL CAMERA

Last week, Canadians learned that their foreign signals intelligence agency, the Communications Security Establishment (CSE), had improperly shared information with their American, Australian, British, and New Zealand counterparts (collectively referred to as the “Five Eyes”). The exposure was unintentional: Techniques that CSE had developed to de-identify metadata with Canadians’ personal information failed to keep Canadians anonymous when juxtaposed with allies’ re-identification capabilities. Canadians recognize the hazards of such exposures given that lax information-sharing protocols with US agencies which previously contributed to the mistaken rendition and subsequent torture of a Canadian citizen in 2002.

Tamir Israel (of CIPPIC) and I wrote and article for Just Security following these revelations. We focused on the organization’s efforts, and failure, to suppress Canadians’ identity information that is collected as part of CSE’s ongoing intelligence activities and the broader implications of erroneous information sharing. Specifically, we focus on how such sharing can have dire life consequences for those who are inappropriately targeted as a result by Western allies and how such sharing has led to the torture of a Canadian citizen. We conclude by arguing that the collection and sharing of such information raises questions regarding the ongoing viability of the agency’s old-fashioned mandates that bifurcate Canadian and non-Canadian persons’ data in light of the integrated nature of contemporary communications systems and data exchanges with foreign partners.

Read the Article

Authors

Tamir Israel

Tamir is staff lawyer with the Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic (CIPPIC) at the University of Ottawa Faculty of Law, where he conducts research and advocacy on various digital rights-related topics, with a focus on online privacy and anonymity, net neutrality, intellectual property, intermediary liability, spam, e-commerce, and consumer protection generally.

Christopher Parsons

Dr. Christopher Parsons received his Bachelor’s and Master’s degrees from the University of Guelph, and his Ph.D from the University of Victoria. He is currently the Managing Director of the Telecom Transparency Project and a Postdoctoral Fellow at the Citizen Lab, in the Munk School of Global Affairs.

Photo credit: Spies by Kieran Lamb (CC BY-SA 2.0) https://flic.kr/p/416nVf

More Surveillance Powers Won’t Prevent Intelligence Failures

/ Christopher Parsons

Newspapers B&W (5)I co-authored a comment to the editors of the Globe and Mail, “More Surveillance Powers Won’t Prevent Intelligence Failures,” in response to Christian Leuprecht’s article “Pointing fingers won’t prevent intelligence failures“. Leuprecht asserts that further intelligence sharing is critical to prevent and avoid attacks such as those in Paris, that more trust between intelligence agencies to facilitate international intelligence sharing is needed, and that more resources are needed if particular individuals subject to state suspicion are to be monitored. He also asserted that governments need the powers to act against targeted individuals, and that unnamed ‘critics’ are responsible for the weakening of intelligence agencies and, by extension, for the senseless deaths of innocents that result from agencies’ inabilities to share, monitor, and engage suspicious persons.

The co-authored comment rebuts Leuprecht’s assertions. We point that there is more intelligence collected, now, than ever before. We note that some of the attackers were already known to intelligence and security services. And we note that it was intelligence sharing, itself, that led to the targeting and torture of Maher Arar. In effect, the intelligence community is failing in spite of having the capabilities and powers that Leuprecht calls for; what is missing, if anything, is the ability to transform the intelligence collected today into something that is actionable.

The full comment, first published at the Globe and Mail, is reproduced below:

More Surveillance Powers Won’t Prevent Intelligence Failures
Re: “Pointing Fingers Won’t Prevent Intelligence Failures” (Nov 25):

The horrific attacks in Paris have led to a wave of finger-pointing – often powerfully disassociated from the realities of the failures (Pointing Fingers Won’t Prevent Intelligence Failures – Nov 25). The answer from security agencies is inevitably to request more surveillance and more capacity to intrude into citizens’ lives.

These requests are made despite the historically unprecedented access to digital information that security agencies already enjoy and repeated expansions of security powers. Clearly “more security” is not the answer to preventing all future attacks.

The intelligence failure in Paris painted a familiar picture. Many of the attackers were known to French officials, and Turkish intelligence agencies sent repeated warnings of another. Yet in their rush to blame communications technologies such as iPhone encryption and the PlayStation (claims since discredited), security agencies neglect the lack of adequate human intelligence resources and capacities needed to translate this digital knowledge into threat prevention. Also absent is attention to agency accountability – the unaddressed information-sharing problems that caused the mistaken targeting and torture of Maher Arar.

The targets of terror are not only physical, but also ideological. Introducing a laundry list of new powers in response to every incident without regard to the underlying causes will not prevent all attacks, but will leave our democracy in tatters.

Vincent Gogolek, Executive Director, BC Freedom of Information and Privacy Association (BCFIPA)

Tamir Israel, Staff Lawyer, Canadian Internet Policy & Public Interest Clinic (CIPPIC), University of Ottawa

Monia Mazigh, National Coordinator, International Civil Liberties Monitoring Group (ICLMG)

Christopher Parsons, Postdoctoral Fellow, Citizen Lab at Munk School of Global Affairs, University of Toronto

Sukanya Pillay, Executive Director & General Counsel, Canadian Civil Liberties Association (CCLA)

Laura Tribe, Digital Rights Specialist, OpenMedia

Micheal Vonn, Policy Director, British Columbia Civil Liberties Association (BCCLA)

Photo credit: Newspapers B&W (5) by Jon S (CC BY 2.0) https://flic.kr/p/ayGkBN

Regarding Vidéotron’s Practices Related to its Mobile Wireless Unlimited Music Service

/ Christopher Parsons

RedIn mid-October I co-authored a submission to the Canadian Radio-television and Telecommunications Commission (CRTC) with Tamir Israel, a staff lawyer with the Canadian Internet Policy & Public Interest Clinic (CIPPIC) at the University of Ottawa. Our submission was filed in support of complaints issued by the Public Interest Advocacy Centre and Vaxination Informatique against Vidéotron’s (a subsidiary of Québecor Media Inc.) newly introduced Unlimited Music service.

The complaints arose after Vidéotron announced Unlimited Music, a mobile platform that offers access to a curated list of music streaming services over Vidéotron’s mobile data network without imposing data fees on the customers (often termed ‘zero rating’). In our submission, we argue that offerings of this kind raise concerns of undue preference, unjust discrimination and, more broadly, net neutrality, as addressed by the CRTC Commission in Broadcasting and Telecom Decision CRTC 2015-26 and in the Telecom Regulatory Policy CRTC 2009-657 (extended to mobile Internet access in Telecom Decision CRTC 2010-445). By zero rating specific services or categories thereof, Vidéotron is leveraging its role as a gateway to network content in order to provide its chosen services an advantage that no other competing service can match. Doing so disrupts the neutral ecosystem that is necessary for digital innovation to continue to flourish. It also raises serious ancillary privacy questions.

Our submission begins by arguing that Vidéotron’s mobile usage billing practices constitute an economic Internet traffic management practice and that zero rating services such as Unlimited Music are generally problematic. We then discuss the likely role of Deep Packet Inspection (DPI) technologies in facilitating Vidéotron’s zero rating practices. Next, we broadly argue that Vidéotron’s Unlimited Music offering is preferential and discriminatory; in addition to constituting an undue and unreasonable preference for certain service offerings, it unjustly discriminates against complementary offerings from other online vendors that include music in their broader product offering. Moreover, there is the potential for Vidéotron to discriminate against services that are mislabelled as ‘unlawful’. We conclude by discussing some of the other potential implications of Vidéotron’s Unlimited Music service.

Download our submission // See all submissions to the CRTC

Authors

Tamir Israel

Tamir is staff lawyer with the Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic (CIPPIC) at the University of Ottawa Faculty of Law, where he conducts research and advocacy on various digital rights-related topics, with a focus on online privacy and anonymity, net neutrality, intellectual property, intermediary liability, spam, e-commerce, and consumer protection generally.

Christopher Parsons

Dr. Christopher Parsons received his Bachelor’s and Master’s degrees from the University of Guelph, and his Ph.D from the University of Victoria. He is currently the Managing Director of the Telecom Transparency Project and a Postdoctoral Fellow at the Citizen Lab, in the Munk School of Global Affairs.

Photo credit: Red by André Hofmeister (CC BY-SA 2.0) https://flic.kr/p/iKN6oT

Stuck on the Agenda: Drawing Lessons from the Stagnation of “Lawful Access” Legislation in Canada

/ Christopher Parsons

9780776622071_web_1Earlier this year I had a book chapter, titled “Stuck on the Agenda: Drawing Lessons from the Stagnation of “Lawful Access” Legislation in Canada” published in Law, Privacy and Surveillance in Canada in the Post-Snowden Era. The book was edited by Michael Geist and is freely available in .pdf format from the University of Ottawa Press. The edited collection brings together many of Canada’s leading thinkers on privacy and national security issues, with authors outlining how Canadian-driven intelligence operations function, the legal challenges facing Canadian signals intelligence operations, and ways to reform Canada’s ongoing signals intelligence operations and the laws authorizing those operations.

The book arguably represents the best, and most comprehensive, examination of the Communications Security Establishment (CSE) in recent history. While not providing insiders’ accounts, many of the chapters draw from access to information documents, documents provided to journalists by Edward Snowden, and publicly available information concerning how intelligence operations are conducted by Canadian authorities. In aggregate they critically investigate the actual and alleged intelligence practices undertaken by Canadian authorities.

My contribution focuses on the politics associated with Canada’s lawful access legislation, and identifies some of the political conditions that may precede successful opposition to legislation that expands or reifies both domestic and foreign intelligence surveillance practices. Specifically, the chapter begins by outlining how agenda-setting operates and the roles of different agendas, tactics, and framings. Next, it turns to the Canadian case and identifies key actors, actions, and stages of the lawful access debates. The agenda-setting literature lets us identify and explain why opponents of the Canadian legislation were so effective in hindering its passage and what the future holds for opposing similar legislative efforts in Canada. The final section steps away from the Canadian case to suggest that there are basic as well as additive general conditions that may precede successful political opposition to newly formulated or revealed government surveillance powers that focus on either domestic or signals intelligence operations. You can read the chapter on pages 256-283.

Download the book from University of Ottawa Press

Image credit: Book Cover from Michael Geist (Ed.) (CC BY-NC-SA 3.0) http://www.press.uottawa.ca/law-privacy-and-surveillance

Beyond Privacy: Articulating the Broader Harms of Pervasive Mass Surveillance

/ Christopher Parsons

2852616711_57c5d04259_b

I’ve published a new paper titled “Beyond Privacy: Articulating the Broader Harms of Pervasive Mass Surveillance” in Media and Communication. Media and Communication is an open access journal; you can download the article from any location, to any computer, free of cost. The paper explores how dominant theories of privacy grapple with the pervasive mass surveillance activities undertaken by western signals intelligence activities, including those of the NSA, CSE, GCHQ, GCSB, and ASD. I ultimately argue that while these theories provide some recourse to individuals and communities, they are not sufficiently holistic to account for how mass surveillance affects the most basic elements a democracy. As such, I suggest that academic critics of signals intelligence activities can avail themselves to theory from the Frankfurt School to more expansively examine and critique contemporary signals intelligence surveillance practices.

Full Abstract

This article begins by recounting a series of mass surveillance practices conducted by members of the “Five Eyes” spying alliance. While boundary- and intersubjectivity-based theories of privacy register some of the harms linked to such practices I demonstrate how neither are holistically capable of registering these harms. Given these theories’ deficiencies I argue that critiques of signals intelligence surveillance practices can be better grounded on why the practices intrude on basic communicative rights, including those related to privacy. The crux of the argument is that pervasive mass surveillance erodes essential boundaries between public and private spheres by compromising populations’ abilities to freely communicate with one another and, in the process, erodes the integrity of democratic processes and institutions. Such erosions are captured as privacy violations but, ultimately, are more destructive to the fabric of society than are registered by theories of privacy alone. After demonstrating the value of adopting a communicative rights approach to critique signals intelligence surveillance I conclude by arguing that this approach also lets us clarify the international normative implications of such surveillance, that it provides a novel way of conceptualizing legal harm linked to the surveillance, and that it showcases the overall value of focusing on the implications of interfering with communications first, and as such interferences constituting privacy violations second. Ultimately, by adopting this Habermasian inspired mode of analysis we can develop more holistic ways of conceptualizing harms associated with signals intelligence practices than are provided by either boundary- or intersubjective-based theories of privacy.

Download the Paper

Photo credit: Retro Printers by Steven Mileham (CC BY-NC 2.0) https://flic.kr/p/5m5pyK