Phone by Any & Carrie Coleman (CC BY-NC-ND 2.0) https://flic.kr/p/4jtzjb
Last month, Public Safety Canada followed through on commitments to review and consult on Canada’s national security framework. The process reviews powers that were passed into law following the passage of Bill C-51, Canada’s recent controversial anti-terrorism overhaul, as well as invite a broader debate about Canada’s security apparatus. While many consultation processes have explored expansions of Canada’s national security framework, the current consultation constitutes the first modern day attempt to explore Canada’s national security excesses and deficiencies. Unfortunately, the framing of the consultation demonstrates minimal direct regard for privacy and civil liberties because it is primarily preoccupied with defending the existing security framework while introducing a range of additional intrusive powers. Such powers include some that have been soundly rejected by the Canadian public as drawing the wrong balance between digital privacy and law enforcement objectives, and heavily criticized by legal experts as well as by all of Canada’s federal and provincial privacy commissioners.
The government has framed the discussion in two constituent documents, a National Security Green Paper and an accompanying Background Document. The government’s framings of the issues are highly deficient. Specifically, the consultation documents make little attempt to explain the privacy and civil liberties implications that can result from the contemplated powers. And while the government is open to suggestions on privacy and civil liberties-enhancing measures, few such proposals are explored in the document itself. Moreover, key commitments, such as the need to impose judicial control over Canada’s foreign intelligence agency (CSE) and regulate the agency’s expansive metadata surveillance activities, are neither presented nor discussed (although the government has mentioned independently that it still hopes to introduce such reforms). The consultation documents also fail to provide detailed suggestions for improving government accountability and transparency surrounding state agencies’ use of already-existent surveillance and investigative tools.
In light of these deficiencies, we will be discussing a number of the consultation document’s problematic elements in a series of posts, beginning with the government’s reincarnation of a highly controversial telecommunication subscriber identification power.
In our report, “The Governance of Telecommunications Surveillance: How Opaque and Unaccountable Practices and Policies Threaten Canadians,” we discussed the regularity at which government agencies gain access to telecommunications data. Save for the Canadian Border Services Agency, federal government agencies that are principally responsible for conducting domestic telecommunications surveillance, such as the Royal Canadian Mounted Police, could not account for how often they use their surveillance powers.
In the course of investigating government access to telecommunications data we also contacted regional policing departments. This post expands on findings we provided in our report to discuss, in depth, the data provided by responsive police departments. We conclude by asserting that new legislation must be introduced and passed so that Canadians become aware of the magnitude of contemporary telecommunications surveillance that policing organizations are involved in on a yearly basis.
Requests to Police Departments
We filed requests to Canadian police departments to determine how often individual departments were exercising telecommunications surveillance powers. Though our report principally focused on federal government agencies’ surveillance, we had hoped to effectively juxtapose provincial/municipal telecommunications surveillance against their federal brethren. We ultimately decided to not conduct a detailed juxtaposition in the report because an insufficient number of police departments responded to our legally-binding requests for access to government data in time for publication.
We filed requests for information to police departments operating in Nova Scotia, Ontario, Alberta, and British Columbia. These requests identified the provincial statutes we were relying on to request information. We paid fees to the various police departments to initiate the processing of the requests. The only two police departments that were responsive to our requests were the Halifax and Vancouver police departments. The most notable non-responsive departments police the cities of Calgary and Toronto.
Candace Mooers asked me a good question today about deep packet inspection (DPI) in Canada. I’m paraphrasing, but it was along the lines of “how might DPI integrate into the discussion of lawful access and catching child pornographers?” I honestly hadn’t thought about this, but I’ll recount here what my response was (that was put together on the fly) in the interests of (hopefully) generating some discussion on the matter.
I’ll preface this by noting what I’ve found exceptional in the new legislation that was recently presented by the Canadian conservative government (full details on bill C-47 available here, and C-46 here) is that police can require ISPs to hold onto particular information, whereas they now typically required a judicial warrant to compel ISPs to hold onto particular data. Further, some information such as subscriber details can immediately be turned over to police, though there is a process of notification that must immediately followed by the officers making the request. With this (incredibly brief!) bits of the bills in mind, it’s important for this post to note that some DPI appliances are marketed as being able to detect content that is under copyright as it is transferred. Allot, Narus, ipoque, and more claim that this capacity is built into many of the devices that they manufacture; a hash code, which can be metaphorically thought of like a digital fingerprint, can be generated for known files under copyright and when that fingerprint is detected rules applied to the packet transfer in question. The challenge (as always!) is finding the processor power to actually scan packets as they scream across the ‘net and properly identify their originating application, application-type, or (in the case of files under copyright) the actual file(s) in question.