Legislation

Minding Your Business: A Critical Analysis of the Collection of De-identified Mobility Data and Its Use Under Socially Beneficial and Legitimate Business Exemptions in Canadian Privacy Law

/ Christopher Parsons

Earlier this month Amanda Cutinha and I published a report, entitled “Minding Your Business: A Critical Analysis of the Collection of De-identified Mobility Data and Its Use Under Socially Beneficial and Legitimate Business Exemptions in Canadian Privacy Law.” In it, we examine how the Government of Canada obtained and used mobility data over the course of the COVID-19 pandemic, and use that recent history to analyse and critique the Consumer Privacy Protection Act (CPPA).

The report provides a detailed summary of how mobility information was collected as well as a legal analysis of why the collection and use of this information likely conformed with the Privacy Act as well as the Personal Information Protection and Electronic Documents Act (PIPEDA). We use this conformity to highlight a series of latent governance challenges in PIPEDA, namely:

  1. PIPEDA fails to adequately protect the privacy interests at stake with de-identified and aggregated data despite risks that are associated with re-identification.
  2. PIPEDA lacks requirements that individuals be informed of how their data is de-identified or used for secondary purposes.
  3. PIPEDA does not enable individuals or communities to substantively prevent harmful impacts of data sharing with the government.
  4. PIPEDA lacks sufficient checks and balances to ensure that meaningful consent is obtained to collect, use, or disclose de-identified data.
  5. PIPEDA does not account for Indigenous data sovereignty nor does it account for Indigenous sovereignty principles in the United Nations Declaration on the Rights of Indigenous Peoples, which has been adopted by Canada.
  6. PIPEDA generally lacks sufficient enforcement mechanisms.

We leverage these governance challenges to, subsequently, analyse and suggest amendments to the CPPA. Our report’s 19 amendments would affect:

  1. Governance of de-identified data
  2. Enhancing knowledge and consent requirements surrounding the socially beneficial purposes exemption and legitimate interest exemption
  3. Meaningful consent for secondary uses
  4. Indigenous sovereignty
  5. Enforcement mechanisms
  6. Accessibility and corporate transparency

While we frankly believe that the legislation should be withdrawn and re-drafted with human rights as the guide stone of the legislation we also recognise that this is unlikely to happen. As such, our amendments are meant to round off some of the sharp edges of the legislation, though we also recognise that further amendments to other parts of the legislation are likely required.

Ultimately, if the government of Canada is truly serious about ensuring that individuals and communities are involved in developing policies pursuant to themselves and their communities, ameliorating disadvantages faced by marginalized residents of Canada, and committing to reconciliation with Indigenous populations, it will commit to serious amendments of C-27 and the CPPA. Our recommendations are made in the spirit of addressing the gaps in this new legislation that are laid bare when assessing how it intersects with Health Canada’s historical use of locational information. They are, however, only a start toward the necessary amendments for this legislation.

Executive Summary

The Government of Canada obtained de-identified and aggregated mobility data from private companies for the socially beneficial purpose of trying to understand and combat the spread of COVID-19. This collection began as early as March 2020, and the information was provided by Telus and BlueDot. It wasn’t until December 2021, after the government issued a request for proposals for cellular tower information that would extend the collection of mobility information, that the public became widely aware of the practice. Parliamentary meetings into the government’s collection of mobility data began shortly thereafter, and a key finding was that Canada’s existing privacy legislation is largely ineffective in managing the collection, use, and disclosure of data in a manner that recognizes the privacy rights of individuals. In spite of this finding, the federal government introduced Bill C-27: An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts in June 2022 which, if passed into law, will fail to correct existing deficiencies in Canada’s federal commercial privacy law. In particular, Bill C-27 would make explicit that the government can continue collecting information, including mobility data from private organizations, so long as uses were socially beneficial and without clearly demarcating what will or will not constitute such uses in the future.

This report, “Minding Your Business: A Critical Analysis of the Collection of De-identified Mobility Data and Its Use Under the Socially Beneficial and Legitimate Interest Exemptions in Canadian Privacy Law,” critically assesses the government’s existing practice of collecting mobility information for socially beneficial purposes as well as private organizations’ ability to collect and use personal information without first obtaining consent from individuals or providing them with knowledge of the commercial activities. It uses examples raised during the COVID-19 pandemic to propose 19 legislative amendments to Bill C-27. These amendments would enhance corporate and government accountability for the collection, use, and disclosure of information about Canadian residents and communities, including for so-called de-identified information.

Part 1 provides a background of key privacy issues that were linked to collecting mobility data during the COVID-19 pandemic. We pay specific attention to the implementation of new technologies to collect, use, and disclose data, such as those used for contact-tracing applications and those that foreign governments used to collect mobility information from telecommunications carriers. We also attend to the concerns that are linked to collecting location information and why there is a consequent need to develop robust governance frameworks.

Part 2 focuses on the collection of mobility data in Canada. It outlines what is presently known about how Telus and BlueDot collected the mobility information that was subsequently disclosed to the government in aggregated and de-identified formats, and it discusses the key concerns raised in meetings held by the Standing Committee on Access to Information, Privacy and Ethics. The Committee’s meetings and final report make clear that there was an absence of appropriate public communication from the federal government about its collection of mobility information as well as a failure to meaningfully consult with the Office of the Privacy Commissioner of Canada. The Government of Canada also failed to verify that Telus and BlueDot had obtained meaningful consent prior to receiving data that was used to generate insights into Canadian residents’ activities during the pandemic.

Part 3 explores the lawfulness of the collection of mobility data by BlueDot and Telus and the disclosure of the data to the Public Health Agency of Canada under existing federal privacy law. Overall, we find that BlueDot and Telus likely complied with current privacy legislation. The assessment of the lawfulness of BlueDot and Telus’ activities serves to reveal deficiencies in Canada’s two pieces of federal privacy legislation, the Privacy Actand the Personal Information Protection and Electronic Documents Act (PIPEDA).

In Part 4, we identify six thematic deficiencies in Canada’s commercial privacy legislation:

  1. PIPEDA fails to adequately protect the privacy interests at stake with de-identified and aggregated data despite risks that are associated with re-identification.
  2. PIPEDA lacks requirements that individuals be informed of how their data is de-identified or used for secondary purposes.
  3. PIPEDA does not enable individuals or communities to substantively prevent harmful impacts of data sharing with the government.
  4. PIPEDA lacks sufficient checks and balances to ensure that meaningful consent is obtained to collect, use, or disclose de-identified data.
  5. PIPEDA does not account for Indigenous data sovereignty nor does it account for Indigenous sovereignty principles in the United Nations Declaration on the Rights of Indigenous Peoples, which has been adopted by Canada.
  6. PIPEDA generally lacks sufficient enforcement mechanisms.

The Government of Canada has introduced the Consumer Privacy Protection Act (CPPA) in Bill C-27 to replace PIPEDA. Part 5 demonstrates that Bill C-27 does not adequately ameliorate the deficiencies of PIPEDA as discussed in Part 4. Throughout, Part 5 offers corrective recommendations to the Consumer Privacy Protection Act that would alleviate many of the thematic issues facing PIPEDA and, by extension, the CPPA.

The federal government and private organizations envision the Consumer Privacy Protection Act as permitting private individuals’ and communities’ data to be exploited for the benefit of the economy and society alike. The legislation includes exceptions to consent and sometimes waives the protections that would normally be associated with de-identified data, where such exemptions could advance socially beneficial purposes or legitimate business interests. While neither the government nor private business necessarily intend to use de-identified information to injure, endanger, or negatively affect the persons and communities from whom the data is obtained, the breadth of potential socially beneficial purposes means that future governments will have a wide ambit to define the conceptual and practical meaning of these purposes. Some governments, as an example, might analyze de-identified data to assess how far people must travel to obtain abortion-care services and, subsequently, recognize that more services are required. Other governments could use the same de-identified mobility data and come to the opposite conclusion and selectively adopt policies to impair access to such services. This is but one of many examples. There are similar, though not identical, dangers that may arise should private organizations be able to collect or use an individual’s personal information without their consent under the legitimate interest exemption in the CPPA. Specifically, this exemption would let private organizations determine whether the collection or use of personal information outweighs the adverse effects of doing so, with the individuals and communities affected being left unaware of how personal information was collected or used, and thus unable to oppose collections or uses with which they disagree.

Parliamentary committees, the Office of the Privacy Commissioner of Canada, Canadian academics, and civil society organizations have all called for the federal government to amend federal privacy legislation. As presently drafted, however, the Consumer Privacy Protection Act would reaffirm existing deficiencies that exist in Canadian law while opening the door to expanded data collection, use, and disclosure by private organizations to the federal government without sufficient accountability or transparency safeguards while, simultaneously, empowering private organizations to collect and use personal information without prior consent or knowledge. Such safeguards must be added in legislative amendments or Canada’s new privacy legislation will continue the trend of inadequately protecting individuals and communities from the adverse effects of using de-identified data to advance so-called socially beneficial purposes or using personal information for ostensibly legitimate business purposes.

Download a .pdf version of “Minding Your Business”

Cybersecurity Will Not Thrive in Darkness: A Critical Analysis of Proposed Amendments in Bill C-26 to the Telecommunications Act

/ Christopher Parsons

Last month I published a report, “Cybersecurity Will Not Thrive in Darkness: A Critical Analysis of Proposed Amendments in Bill C-26 to the Telecommunications Act.” The report undertakes a critical analysis of Bill C-26 which would empower the government to compel critical infrastructure companies to undertake (or refrain from taking) activities the government was of the opinion would enhance the security of Canada’ critical infrastructure. The report begins by offering a background to why this legislation is seen as necessary by the government and, then, proceeds to assess the elements of the legislation which would modify the Telecommunications Act. Specifically, it focuses on issues associated with:

  • Compelling or directing modifications to organizations’ technical or business activities
  • Secrecy and absence of transparency or accountability provisions
  • Deficient judicial review processes
  • Extensive information sharing within and beyond Canadian agencies
  • Costs associated with security compliance
  • Vague drafting language

30 different recommendations are offered that, if adopted, would leave the government able to compel telecommunications companies to modify their practices while, simultaneously, imbuing the legislation with additional nuance, restraint, and accountability provisions. As drafted, today, the legislation prioritises secrecy at the expense of democratic accountability and would establish law that empowered actions which were unpredictable to private organizations and residents of Canada alike. The effect would be to empower the government to undertake lawful, if democratically illegible, activities. Cybersecurity requires a high degree of transparency and dialogue to be successfully implemented. Security can be and must be aligned with Canada’s democratic principles. It is now up to the government to amend its legislation in accordance with them.

Executive Summary

On June 14, 2022, the Government of Canada introduced “Bill C-26: An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts.” If passed into law, it will significantly reform the Telecommunications Act as well as impose new requirements on federally regulated critical infrastructure providers. This report, “Cybersecurity Will Not Thrive in Darkness: A Critical Analysis of Proposed Amendments in Bill C-26 to the Telecommunications Act,” offers 30 recommendations to the draft legislation in an effort to correct its secrecy and accountability deficiencies, while suggesting amendments that would impose some restrictions on the range of powers that the government would be able to wield. These amendments must be seriously taken up because of the sweeping nature of the legislation.

As drafted at time of writing, Bill C-26 would empower the Minister of Industry to compel telecommunications providers to do or refrain from doing anything in the service of securing Canadian telecommunications networks against the threats of interference, manipulation, or disruption. The legislation would authorize the Minister to compel providers to disclose confidential information and then enable the Minister to circulate it widely within the federal government; this information could potentially include either identifiable or de-identified personal information. Moreover, the Minister could share non-confidential information internationally even when doing so could result in regulatory processes or private right of actions against an individual or organization. Should the Minister or other party to whom the Minister shares information unintentionally lose control of the information, there would be no liability attached to the government for the accident.

Where orders or regulations are issued, they would not need to be published in the Canadian Gazette and gags could be attached to the recipients of such orders. There may even be situations where the government could issue an order or regulation, with the aforementioned publication ban and gag, that runs counter to a decision by the Canadian Radio-television and Telecommunications Commission (CRTC) and that overrides aspects of that decision. And in any cases where a telecommunications provider seeks judicial review, it might never see the evidence used to justify an order or regulation. However, if a telecommunications provider is found to have deliberately ignored or failed to adhere to an order, then either the individuals who directed the action or the telecommunications provider could suffer administrative monetary penalties.

This report, in summary, identifies and analyzes a series of deficiencies in Bill C-26 as it is presently drafted:

  • The breadth of what the government might order a telecommunications provider to do is not sufficiently bounded.
  • The excessive secrecy and confidentiality provisions imposed on telecommunications providers threaten to establish a class of secret law and regulations.
  • Significant potential exists for excessive information sharing within the federal government as well as with international partners.
  • Costs associated with compliance with reforms may endanger the viability of smaller providers.
  • Vague drafting language means that the full contours of the legislation cannot be assessed.
  • No recognition of privacy or other Charter-protected rights exists as a counterbalance to proposed security requirements nor are appropriate accountability or transparency requirements imposed on the government.
  • Even if it is presumed that the government does need the ability to encourage or compel telecommunications providers to modify their technical or business operations to enhance the security of their services and facilities, it is readily apparent that more transparency and accountability should be required of the government. All of the recommendations in this report are meant to address some of the existent problems in the legislation.

Should these recommendations or ones derived from them not be taken up, then the government will be creating legislation of the worst kind insofar as it will require the public—and telecommunications providers—to simply trust that the government knows what it is doing, is reaching the right decisions, and that no need exists for a broader public discussion concerning the kinds of protections that should be put in place to protect the cybersecurity of Canada’s telecommunications networks. Cybersecurity cannot thrive on secretive and shadowy government edicts. The government must amend its legislation to ensure its activities comport with Canada’s democratic values and the norms of transparency and accountability.

Download a .pdf Version of “Cybersecurity Will Not Thrive in Darkness”

Citizen Lab and CIPPIC Release Analysis of the Communications Security Establishment Act

/ Christopher Parsons

The Fifth Eye by Dustin Ginetz (CC BY-NC-SA 2.0) https://flic.kr/p/id9KHn

It’s with real pleasure that I can announce that the Citizen Lab and the Canadian Internet Policy & Public Interest Clinic (CIPPIC) have collaborated to produce a report which provides timely legal analysis, political context, and historical background on the Communications Security Establishment Act and related provisions in Bill C-59 (An Act respecting national security matters), First Reading (December 18, 2017).  We hope that this resource will help members of parliament, journalists, researchers, lawyers, and civil society advocates engage more effectively on the issues at stake. Our report represents an analysis of the legislation as it enters political debate in Canada, and should be understood in the context of a rapidly evolving legal and political landscape.

The Communications Security Establishment (“the CSE” or “the Establishment”) is Canada’s national signals intelligence and cybersecurity agency. In the course of our analysis, we summarize the CSE’s mandate, activities, operations, and powers, with an emphasis on their potential implications for human rights and global security. We also offer a series of recommendations which, if adopted, would ensure a more legally sound framework for the CSE, better protect global security interests in a rapidly changing technological environment, and more effectively account for Canada’s domestic and international human rights obligations.

In Section I, we provide a brief overview of the CSE’s current mandate and certain controversial activities undertaken as part of that mandate. We also provide a high-level overview of Bill C-59 and its primary implications for the CSE.

In Section II, we undertake a detailed analysis of key issues arising from Bill C-59 related to the CSE, focusing on aspects with the most critical implications for human rights, political transparency, and global security. In particular, some of the issues we highlight in the legislation relate to:

  • Longstanding problems with the CSE’s foreign intelligence operations, which are predicated on ambiguous and secretive legal interpretations that legitimize bulk collection and mass surveillance activities. These activities both attract Charter protections and engage Canada’s human rights obligations.
  • The complete lack of meaningful oversight and control of the CSE’s activities under the proposed active and defensive cyber operations aspects of its mandate.
  • The absence of meaningful safeguards or restrictions on the CSE’s active and defensive cyber operations activities, which have the potential to seriously threaten secure communications tools, public safety, and global security.
  • The absence of meaningful safeguards or restrictions on the CSE’s activities more generally. As drafted, the CSE Act appears to include a loophole which would allow the Establishment to cause death or bodily harm, and to interfere with the “course of justice or democracy,” if acting under its foreign intelligence or cybersecurity powers while prohibiting these outcomes under its new cyber operation powers.
  • The risk that the CSE’s cybersecurity and assurance operations for the federal government could threaten independence of the courts or the separation of powers.
  • Concerns regarding the framework for the CSE’s acquisition of malware, spyware and hacking tools, which may legitimize a market predicated on undermining and subverting, rather than strengthening, the security of the global information infrastructure.
  • Serious issues related to the CSE’s provision of technical and operational assistance to other entities—including Canadian law enforcement—which may lead the CSE to proffer capabilities that would otherwise be illegal or unconstitutional for domestic partners to develop, use or possess, or which would be inherently disproportionate if deployed in those contexts (e.g., in policing operations).
  • Potential issues with the National Security Intelligence Review Agency’s ability to access foreign-provided information, and the risk of regulatory capture through its hiring policies.
  • Serious shortcomings—both legal and practical—in the role of the Intelligence Commissioner, which does not resolve the constitutional challenges surrounding the current CSE Commissioner or the constitutionality of the CSE’s activities more generally.
  • The Intelligence Commissioner’s inability to exercise meaningful and comprehensive oversight and control over the CSE’s activities (including its most problematic activities) due to an under-inclusive mandate, issues of independence, and insufficient powers of a quasi-judicial nature.
  • Weak and vague protections for the privacy of Canadians and persons in Canada, alongside an abject disregard for privacy rights as an international human rights norm.
  • Extraordinary exceptions to the CSE’s general rule against “directing” activities at Canadians and persons in Canada significantly expand the CSE’s ability to use its expansive powers domestically.
  • A general failure to recognize that the highly interconnected and interdependent nature of the global information infrastructure means that protections or limits on the CSE’s powers that begin and end at national boundaries are insufficient to protect Canada’s security interests.
  • Deep tensions at the core of the CSE mandate, which requires the Establishment to both protect and defend against security threats while simultaneously exploiting, maintaining, and creating new vulnerabilities in order to further its foreign intelligence agenda. These tensions are exacerbated by the introduction of new offensive powers and the two new aspects of its mandate.
  • A lack of legal clarity regarding how, when, and whether vulnerabilities discovered by the CSE are disclosed to vendors or the public, and how the CSE accounts for the public interest in the process.
  • The lack of oversight or reporting requirements for “arrangements” with equivalent agencies to the CSE in foreign jurisdictions. There is a risk that these partnerships could involve receipt of information derived from torture or other activities that would be unlawful or unconstitutional if conducted by a Canadian agency.

In Section III, we summarize recommendations emerging from our analysis for committee members and other members of Parliament studying the proposed CSE Act. In particular, we make recommendations to improve systems of review, oversight, and control of the CSE and to constrain the CSE’s ability to engage in activities that are problematic, abusive, unconstitutional, or in violation of international human rights norms.

Download a copy of “Analysis of the Communications Security Establishment Act and Related Provisions in Bill C-59 ( An Act respecting national security matters ), First Reading (December 18, 2017)

Canada’s Quiet History Of Weakening Communications Encryption

/ Christopher Parsons

500995147_6c97aab488_o-300x225American and British officials have been warning with an increasing sense of purported urgency that their inability to decrypt communications could have serious consequences. American authorities have claimed that if they cannot demand decrypted communications from telecommunications providers then serious crimes may go unsolved. In the UK this danger is often accentuated by the threat of terrorism. In both nations, security and policing services warn that increased use of encryption is causing communications to ‘go dark’ and thus be inaccessible to policing and security services. These dire warnings of the threats potentially posed by criminals and terrorists ‘going dark’ have been matched over the years with proposals that would regulate encryption or mandate backdoors into any otherwise secure system. Comparatively little has been said about Canada’s long-standing efforts to inhibit end-user encryption despite the federal government’s longstanding efforts to restrict the security provided to Canadians by encryption.

This article outlines some of the federal government of Canada’s successful and unsuccessful attempts to weaken cryptographic standards. It starts by explaining (in brief) what communications encryption is, why it matters, and the implications of enabling unauthorized parties to decrypt communications. With this primer out of the way, we discuss why all of Canada’s mobile telecommunications carriers agree to implement cryptographic weaknesses in their service offerings. Next, we discuss the legislation that can be used to compel telecommunications service providers to disclose decryption keys to government authorities. We then briefly note how Canada’s premier cryptologic agency, the Communications Security Establishment (CSE), successfully compromised global encryption standards. We conclude the post by arguing that though Canadian officials have not been as publicly vocal about a perceived need to undermine cryptographic standards the government of Canada nevertheless has a history of successfully weakening encryption available to and used by Canadians.

Continue reading

CSIS’s New Powers Demand New Accountability Mechanisms

/ Christopher Parsons

6165458242_97e0572d03_oThe Government of Canada recently tabled Bill C-44, the Protection of Canada from Terrorists Act, in response to a series of court defeats concerning how the Canadian Intelligence and Security Service (CSIS) collects intelligence about Canadian residents. The federal courts took CSIS to task after Justice Richard Mosley realized that warrants issued to CSIS, which enabled CSIS to collaborate with Canada’s foreign signal intelligence agency to monitor Canadians abroad, were also being used to enlist the assistance of other nations’ signals intelligence agencies. In addition to the warrants not being issued with such foreign collaboration in mind there was — and remains — a judicial belief that CSIS’ lawyers deliberately misled the court when requesting the warrants.

The tabled legislation would not alleviate the ruling that CSIS lawyers misled the court. It would, however, authorize CSIS to apply for warrants which authorize the service to monitor Canadians abroad even if doing so would violate the laws of foreign nations. Moreover, CSIS would be empowered to request the assistance of foreign organizations in monitoring the aforementioned Canadians. The Act would also provide the government the power to prevent courts from publicly examining informants as well as to revoke citizenship under certain situations. Finally, the legislation further clarifies (and arguably extends) prohibitions on revealing the identity of CSIS officers. Continue reading

Canadian Cyberbullying Legislation Threatens to Further Legitimize Malware Sales

/ Christopher Parsons

Focus, Build, HackLawful access legislation was recently (re)tabled by the Government of Canada in November 2013. This class of legislation enhances investigative and intelligence-gathering powers, typically by extending search and seizure provisions, communications interception capabilities, and subscriber data disclosure powers. The current proposed iteration of the Canadian legislation would offer tools to combat inappropriate disclosure of intimate images as well as extend more general lawful access provisions. One of the little-discussed elements of the legislation is that it will empower government authorities to covertly install, activate, monitor, and remove software designed to track Canadians’ location and ‘transmission data.’

In this post I begin by briefly discussing this class of government-used malicious surveillance software, which I refer to as ‘govware’. Next, I outline how Bill C–13 would authorize the use of govware. I conclude by raising questions about whether this legislation will lead government agencies to compete with one another, with some agencies finding and using security vulnerabilities, and others finding and fixing the vulnerabilities such tools rely. I also argue that a fulsome debate must be had about govware based on how it can broadly threaten Canadians’ digital security. Continue reading