Privacy

Computer network operations and ‘rule-with-law’ in Australia

/ Christopher Parsons

‘Cyberman’ by Christian Cable (CC BY-NC 2.0) at https://flic.kr/p/3JuvWv

Last month a paper that I wrote with Adam Molnar and Erik Zouave was published by Internet Policy Review. The article, “Computer network operations and ‘rule-with-law’ in Australia,” explores how the Australian government is authorized to engage in Computer Network Operations (CNOs). CNOs refer to government intrusion and/or interference with network information communications infrastructures for the purposes of law enforcement and national security operations.

The crux of our argument is that Australian government agencies are relatively unconstrained in how they can use CNOs. This has come about because of overly permissive, and often outdated, legislative language concerning technology that has been leveraged in newer legislation that expands on the lawful activities which government agencies can conduct. Australian citizens are often assured that existing oversight or review bodies — vis a vis legislative assemblies or dedicated surveillance or intelligence committees — are sufficient to safeguard citizens’ rights. We argue that the laws, as currently written, compel review and oversight bodies to purely evaluate the lawfulness of CNO-related activities. This means that, so long as government agencies do not radically act beyond their already permissive legislative mandates, their oversight and review bodies will assert that their expansive activities are lawful regardless of the intrusive nature of the activities in question.

While the growing capabilities of government agencies’ lawful activities, and limitations of their review and oversight bodies, have commonalities across liberal democratic nations, Australia is in a particularly novel position. Unlike its closest allies, such as Canada, the United States, New Zealand, or the United Kingdom, Australia does not have a formal bill of rights or a regional judicial body to adjudicate on human rights. As we write, “[g]iven that government agencies possess lawful authority to conduct unbounded CNO operations and can seek relatively unbounded warrants instead of those with closely circumscribed limits, the rule of law has become distorted and replaced with rule of law [sic]”.

Ultimately, CNOs represent a significant transformation and growth of the state’s authority to intrude and affect digital information. That these activities can operate under a veil of exceptional secrecy and threaten the security of information systems raises questions about whether the state has been appropriately restrained in exercising its sovereign powers domestically and abroad: these powers have the capability to extend domestic investigations into the computers of persons around the globe, to facilitate intelligence operations that target individuals and millions of persons alike, and to damage critical infrastructure and computer records. As such, CNOs necessarily raise critical questions about the necessity and appropriateness of state activities, while also showcasing the state’s lack of accountability to the population is is charged with serving.

Read the “Computer network operations and ‘rule-with-law’ in Australia” at Internet Policy Review.

Curated Canadian IMSI Catcher Resources

/ Christopher Parsons

‘Untitled’ by Andrew Hilts

IMSI Catchers enable state agencies to intercept communications from mobile devices and are used primarily to identify otherwise anonymous individuals associated with a mobile device or to track them. These devices are also referred to as ‘cell site simulators’, ‘mobile device identifiers’, and ‘digital analyzers’, as well as by the brandnames such as ’Stingray’, DRTBox’, and ‘Hailstorm’. These surveillance devices are not new – their use by state agencies spans decades. However, the ubiquity of the mobile communications devices in modern day life, coupled with the plummeting cost of IMSI Catchers, has led to a substantial increase in the frequency and scope of IMSI Catcher use by government and non-government agents alike. The devices pose a serious threat to privacy given that they are highly intrusive, surreptitious, and subject to limited controls in relation to their licit and illicit sale or operation.

One of the challenges with understanding the current policy landscape around IMSI Catchers in Canada stems from different government agencies’ deliberate efforts to prevent the public from learning about whether agencies use such devices. Journalists and academics have tried to determine whether and how the devices are used over the course of approximately a decade; this means that information concerning their operation has unfolded over a significant length of time. Without a centralized resource to curate the successes and failures of these investigations it is often challenging for non-experts to understand the full context and history of IMSI Catchers’ operation in Canada.

Only recently have journalists, advocacy groups, and academics in North America learned about how their respective governments have historically, and presently, operated IMSI Catchers. Such revelations began around four years ago in the United States and within the past year and a half in Canada. Such revelations are the culmination of extensive preparatory work: though news articles and research reports appear more frequently, now, their existence today is predicated on the hidden labour that took place over the prior years.

For Canadians, the release of select court documents enabled more informed analysis of how these devices were used by federal, provincial, and municipal agencies. Such information was drawn on to prepare a report on IMSI Catchers that I wrote with Tamir Israel last year, in which we canvassed, collated, and analyzed what was technically understood about how IMSI Catchers operate, as well as the challenges Canadians have faced using freedom of information request to learn more about the technology. That report also included legal analyses of different ways of authorizing the devices’ operation and the Charter implications of their operation. Furthermore, in recent weeks the RCMP finally admitted to the public that it has used IMSI Catchers after previously claiming that any revelation of whether and how they used the devices would infringe on national security or ongoing investigations. Many other agencies have since followed suit, also informing the public whether they possess and operate IMSI Catchers in the course of their investigations.

To help interested members of the public, journalists, advocacy and activist groups, and fellow academics, I have collated a list of IMSI Catcher-related resources that pertain to the Canadian situation. This listing includes the most important primary and secondary documents to read to understand the state of play in Canada. Some of the resources are produced by academics and technologists, some focus on technology or policy or law, and others encompass the major news stories that have trickled out about IMSI Catchers over the past several years. If you believe that I have missed any major documents feel free to contact me.

Access the IMSI Catcher in Canada Resources

Pleading the Case: How the RCMP Fails to Justify Calls for New Investigatory Powers

/ Christopher Parsons
'RCMP' by POLICEDRIVER2 (CC BY 2.0) https://flic.kr/p/sEM7W5

‘RCMP’ by POLICEDRIVER2 (CC BY 2.0) https://flic.kr/p/sEM7W5

A pair of articles by the Toronto Star and CBC have revealed a number of situations where the authors report on why authorities may be right to ask for new investigatory powers. A series of cases, combined with interviews with senior RCMP staff, are meant to provide some insight into the challenges that policing and security agencies sometimes have when pursuing investigations. The articles and their associated videos are meant to spur debate concerning the government’s proposal that new investigatory powers are needed. Such powers include a mandatory interception capability, mandatory data retention capability, mandatory powers to compel decryption of content, and easy access to  basic subscriber information.

This post does not provide an in-depth analysis of the aforementioned proposed powers. Instead, it examines the specific ‘high priority’ cases that the RCMP, through a pair of journalists, has presented to the public. It’s important to recognize that neither the summaries nor underlying documents have been made available to the public, nor have the RCMP’s assessments of their cases or the difficulties experienced in investigating them been evaluated by independent experts such as lawyers or technologists. The effect is to cast a spectre of needing new investigatory powers without providing the public with sufficient information to know and evaluate whether existing powers have been effectively exercised. After providing short commentaries on each case I argue that the RCMP has not made a strong argument for the necessity or proportionality of the powers raised by the government of Canada in its national security consultation.

Continue reading

Dissecting CSIS’ Statement Concerning Indefinite Metadata Retention

/ Christopher Parsons
PR? by Ged Carrol (CC BY 2.0) https://flic.kr/p/6jshtz

PR? by Ged Carrol (CC BY 2.0) https://flic.kr/p/6jshtz

In this brief post I debunk the language used by CSIS Director Michel Coulombe in his justification of CSIS’s indefinite data retention program. That program involved CSIS obtaining warrants to collect communications and then, unlawfully, retaining the metadata of non-targeted persons indefinitely. This program was operated out of the Operational Data Analysis Centre (ODAC). A Federal Court judge found that CSIS’ and the Department of Justice’s theories for why the program was legal were incorrect: CSIS had been retaining the metadata, unlawfully, since the program’s inception in 2006. More generally, the judge found that CSIS had failed to meet its duty of candour to the court by failing to explain the program, and detail its existence, to the Court.

The public reactions to the Federal Court’s decision has been powerful, with the Minister of Public Safety being challenged on CSIS’s activities and numerous mainstream newspapers publishing stories that criticize CSIS’ activities. CSIS issued a public statement from its Director on the weekend following the Court’s decision, which is available at CSIS’ website. The Federal Court’s decision concerning this program is being hosted on this website, and is also available from the Federal Court’s website. In what follows I comprehensively quote from the Director’s statement and then provide context that, in many cases, reveals the extent to which the Director’s statement is designed to mislead the public.

Continue reading

Canada’s National Security Consultation: Digital Anonymity & Subscriber Identification Revisited… Yet Again

/ Christopher Parsons
Phone by Any & Carrie Coleman

Phone by Any & Carrie Coleman (CC BY-NC-ND 2.0) https://flic.kr/p/4jtzjb

Last month, Public Safety Canada followed through on commitments to review and consult on Canada’s national security framework. The process reviews powers that were passed into law following the passage of Bill C-51, Canada’s recent controversial anti-terrorism overhaul, as well as invite a broader debate about Canada’s security apparatus. While many consultation processes have explored expansions of Canada’s national security framework, the current consultation constitutes the first modern day attempt to explore Canada’s national security excesses and deficiencies. Unfortunately, the framing of the consultation demonstrates minimal direct regard for privacy and civil liberties because it is primarily preoccupied with defending the existing security framework while introducing a range of additional intrusive powers. Such powers include some that have been soundly rejected by the Canadian public as drawing the wrong balance between digital privacy and law enforcement objectives, and heavily criticized by legal experts as well as by all of Canada’s federal and provincial privacy commissioners

The government has framed the discussion in two constituent documents, a National Security Green Paper and an accompanying Background Document. The government’s framings of the issues are highly deficient. Specifically, the consultation documents make little attempt to explain the privacy and civil liberties implications that can result from the contemplated powers. And while the government is open to suggestions on privacy and civil liberties-enhancing measures, few such proposals are explored in the document itself. Moreover, key commitments, such as the need to impose judicial control over Canada’s foreign intelligence agency (CSE) and regulate the agency’s expansive metadata surveillance activities, are neither presented nor discussed (although the government has mentioned independently that it still hopes to introduce such reforms). The consultation documents also fail to provide detailed suggestions for improving government accountability and transparency surrounding state agencies’ use of already-existent surveillance and investigative tools. 

In light of these deficiencies, we will be discussing a number of the consultation document’s problematic elements in a series of posts, beginning with the government’s reincarnation of a highly controversial telecommunication subscriber identification power.

Continue reading

IMSI Catcher Report Calls for Transparency, Proportionality, and Minimization Policies

/ Christopher Parsons

imsi-catcher-coverThe Citizen Lab and CIPPIC released a report, Gone Opaque? An Analysis of Hypothetical IMSI Catcher Overuse in Canada, which examined the use of devices that are commonly referred to as ‘cell site simulators’, ‘IMSI Catchers’, ‘Digital Analyzers’, or ‘Mobile Device Identifiers’, and under brand names such as ‘Stingray’, DRTBOX, and ‘Hailstorm’. IMSI Catchers are a class of of surveillance devices used by Canadian state agencies. They enable state agencies to intercept communications from mobile devices and are principally used to identify otherwise anonymous individuals associated with a mobile device and track them.

Though these devices are not new, the ubiquity of contemporary mobile devices, coupled with the decreasing costs of IMSI Catchers themselves, has led to an increase in the frequency and scope of these devices’ use. Their intrusive nature, as combined with surreptitious and uncontrolled uses, pose an insidious threat to privacy.

This report investigates the surveillance capabilities of IMSI Catchers, efforts by states to prevent information relating to IMSI Catchers from entering the public record, and the legal and policy frameworks that govern the use of these devices. The report principally focuses on Canadian agencies but, to do so, draws comparative examples from other jurisdictions. The report concludes with a series of recommended transparency and control mechanisms that are designed to properly contain the use of the devices and temper their more intrusive features.

The report is structured across four sections:

  • Section One provides an overview of the technical capabilities of IMSI Catchers.
  • Section Two focuses on civil society and journalists’ efforts to render transparent how IMSI Catchers are used.
  • Section Three examines the regulation of IMSI Catchers and avenues towards lawful regulation of their use.
  • Section Four sets out best practices that should be incorporated into a framework governing IMSI Catcher use.

In more detail, Section One provides an overview of the technical capabilities of IMSI Catchers. The report principally focuses on how the devices can be used in ‘identification mode’, where they intercept digital numbers that are unique to mobile devices. IMSI Catchers exploit weaknesses in the design of mobile communications systems to induce mobile devices to transmit these unique numbers that, typically, are only sent to telecommunications carriers. From a privacy perspective, the report argues that IMSI Catchers are inherently intrusive: by design, they capture mobile identifiers from all phones in range, leading to significant collateral privacy impact that can affect the privacy of thousands of non-targets for each individual legitimate target.

Section Two focuses on transparency efforts associated with IMSI Catchers, and how states have routinely sought to prevent information about IMSI Catchers from reaching the public record. After highlighting some of the hard-fought successes to bring documents to the public record in the United States, in particular, the report examines comparable efforts to uncover IMSI Catchers’ use in Canada and these efforts’ comparative successes and failures. In doing so, a case analysis is conducted where the Toronto Police Services Board successfully (and inappropriately) prevented documents from becoming public. The report critiques a number of the justifications that are frequently advanced by state agencies seeking to prevent information related to IMSI Catchers from becoming public. Furthermore, it argues that providing some details on IMSI Catcher use will not undermine the investigative utility of the devices, and that there is substantial public interest that should compel authorities to disclose documents regardless of whether they affect investigative utility. Furthermore, disclosure of such documents is needed to evaluate whether the possession of the devices is inconsistent with the Radiocommunications Act, the Privacy Act, and perhaps the Charter. Equally seriously, refusing to officially acknowledge IMSI Catcher use in the face of a growing body of documents demonstrating their use threatens to undermine public confidence that the devices are being used lawfully and in a manner that is proportionate and minimized their impact on non-targeted members of the public.

Section Three examines the regulation of IMSI Catchers and avenues towards the lawful authorization of their use. After surveying German and American regulatory processes to understand gaps in the Canadian context, the report explores Canada’s ambitious statutory framework for electronic surveillance. Doing so explicates the legal avenues state agencies can exercise to authorize their use of IMSI Catchers. This section reveals how a range of overlapping powers might apply to IMSI Catcher authorization, and that this ambiguity might let agencies deploy IMSI Catchers using powers offering minimal privacy protection. The section concludes by examining the Charter implications of IMSI Catcher uses, and rejects possible justifications of IMSI Catcher deployment which lack prior judicial authorization. A series of safeguards and conditions on the use of IMSI Catchers, such that their operation does not amount to a constitutionally impermissible search, wraps up this section.

Section Four sets out best practices that should be incorporated into a framework governing IMSI Catcher use. The section recommends that IMSI Catcher use by state agencies be subject to comprehensive transparency mechanisms, including annual statistical reporting on use, an individual notice requirement, and compliance with standard reporting obligations typically applied to radio devices owned by state agencies. It further argues for the criminalization of unauthorized uses of IMSI Catchers. Such authorization should be subject to a strict regime that is linked with demonstrating their investigative necessity, including a “serious crimes” provision that limits IMSI Catchers’ use to investigate only the most severe offences. In addition to proportionality measures, targeting and minimization procedures should be imposed to limit the collateral impact of deployment on innocent third-parties.

The report’s Conclusion highlights core findings and also emphasizes the importance of privacy in liberal democratic societies.

We hope that this report will contribute to the growing discussion and debate concerning how, and the appropriateness of, state agencies’ use of IMSI Catchers. Ultimately, it is in the government’s and citizens’ best interest for state agencies to be more transparent and accountable for how they use IMSI Catchers in the course of conducting investigations.

DOWNLOAD FULL REPORT (English) // DOWNLOAD EXECUTIVE SUMMARY (French)

Project Support

The authors would like to graciously thank a number of sources whose generous funding made this report possible: the Open Society Foundation, Frederick Ghahramani, a Social Sciences and Humanities Research Council (SSHRC) Postdoctoral Fellowship Award, and the Munk School of Global Affairs at the University of Toronto. Furthermore, the authors are grateful for in-depth substantive input on the December 2015 draft of this document from Professor Ron Deibert and Sarah McKune, to Adrian Dabrowski and to participants of Citizen Lab Summer Institute 2016 for key input on technical questions raised by this paper and to Lex Gill for extensive substantive additions and edits. Responsibility for any errors or omissions remains with the authors.

Authors

Christopher Parsons

Dr. Christopher Parsons received his Bachelor’s and Master’s degrees from the University of Guelph, and his Ph.D from the University of Victoria. He is currently the Managing Director of the Telecom Transparency Project and a Research Associate at the Citizen Lab, in the Munk School of Global Affairs.

Tamir Israel

Tamir is staff lawyer with the Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic (CIPPIC) at the University of Ottawa Faculty of Law, where he conducts research and advocacy on various digital rights-related topics, with a focus on online privacy and anonymity, net neutrality, intellectual property, intermediary liability, spam, e-commerce, and consumer protection generally.