Lawful Access Consultation 2016

Another federal government consultation has recently wrapped up, this time with Public Safety asking about national security. Like other ongoing consultations, this one was criticized (for example, by Christopher Parsons and  Tamir Israel) as framing the policy issue in a way that the government prefers, and trying to legitimate some ideas that should have been discredited by now. I would say that the consultation framed the issue very much as Public Safety (for instance, the RCMP) would prefer, repeating old rationales, and seeing the world from a perspective where the ability to exercise sovereign will over information flows is paramount. The Green Paper provided for background reading foregrounds the concerns of law enforcement & security agencies, is peppered with the words “must” and “should”, advancing some dubious assumptions. Public Safety asked for feedback on terrorism-related provisions (including C-51), oversight, intelligence as evidence, and lawful access. The last of these has seen a number of previous consultations, but is back in the news as police make their case for the issue of “going dark” (which has become part of the RCMP’s “new public narrative” for a set of concerns that were once broadly talked about as lawful access).

I let this one get away from me, so I didn’t have anything ready for Dec. 15 when the online submission closed. Regardless, I’ve decided to complete most of the questions related to the topic of Investigative Capabilities in a Digital World as a blog post. I don’t feel particularly bad for missing the deadline, since several of these questions border on ridiculous. For a true public consultation on what has long been a very contentious issue, it would be important for the questions to be informed by the arguments on both sides. Privacy experts would have asked very different questions about privacy and state power, and on a number of topics Public Safety seems to be trying to avoid mentioning the specific policies that are at stake here.

How can the Government address challenges to law enforcement and national security investigations posed by the evolving technological landscape in a manner that is consistent with Canadian values, including respect for privacy, provision of security and the protection of economic interests?

When I think of Canadian values, “privacy, provision of security and the protection of economic interests” are not what come to mind. When I ask my students what they associate with Canada, these particular values have never come up in an answer. I think we should consider democracy as a fundamental value, and understand that state secrecy is antithetical to democracy. When it comes to the relationship between citizens and the state, Canadian values are enshrined in the Charter, and the Supreme Court is ultimately responsible for interpreting what is consistent with the Charter. Therefore, Canadians deserve to understand what is being done in their name if we are to have a meaningful democracy, and this includes the existence of an informed, independent judiciary to decide what government actions are consistent with Canadian values.

In the physical world, if the police obtain a search warrant from a judge to enter your home to conduct an investigation, they are authorized to access your home. Should investigative agencies operate any differently in the digital world?

If we accept the digital/physical distinction, the answer is a definite yes — investigations carried out today operate differently than they did in the simpler, more “physical” 1980s. But it is important to keep in mind that analogies between the digital and physical environment can be misleading and dangerous. When it comes to the “digital world”, I prefer to talk about it in digital terms. The stakes are different, as are the meaning of terms like “to enter”. If we must make these comparisons, here is what treating these two “worlds” as analogous would mean:
The police can enter my home with authorization, and seize my computer with authorization. I am not required to make my computer insecure enough for the police to easily access, just as I am not required to keep my home insecure enough for the police to easily access. I am not required to help the police with a search of my home, and so I should not be required to help police search my computer. If I have a safe with a combination lock in my home, I cannot be compelled by police to divulge the combination, so by analogy, I should not be compelled to divulge a password for an encrypted disk.

But analogies can only take us so far. A computer is not a home. Metadata is not like the address on a physical envelope. We need to understand digital information in its own terms. To that end, some of the more specific questions found further in this consultation can produce more helpful answers. Before we get to these however, this consultation requires me to answer a couple more questions based on the presumption of digital dualism.

This question is hard to answer without knowing what it means to “update these tools”, and seems to be intended to produce a “yes” response to a vague statement. Once again, digital/physical comparisons confuse more than they clarify — these are not separate worlds when we are talking about production orders and mandating the installation of hardware. We can talk about these topics in their own terms, and take up these topics one at a time (see further below).

If we could only get at the bad guys in the digital world, but there's all this code in the way!
If we could only get at the bad guys in the digital world, but there’s all this code in the way!

Is your expectation of privacy different in the digital world than in the physical world?

My answer to this question has to be both yes and no.

No, because I fundamentally reject the notion that these are separate worlds. I do not somehow enter the “digital world” when I check my phone messages, or when I interact with the many digitally-networked physical devices that are part of my lived reality. Privacy law should not be based on trying to find a digital equivalent for the trunk of a car, because no such thing exists.

Yes, expectations of privacy differ when it comes to “informational privacy” (the language of Spencer), because the privacy implications of digital information need to be considered in their own terms. Governments and public servants do Canadians a disservice with phonebook analogies, license plate analogies, or when they hold up envelopes to explain how unconcerned we should be about government access to metadata (all recurring arguments in the surveillance/privacy debate). In many cases, the privacy implications of access to digital information are much more significant than anything we could imagine in a world without digital networks and databases of our digital records.

Basic Subscriber Information (BSI)

 

As the Green Paper states, nothing in the Spencer decision prevents access to BSI in emergencies, so throwing exigent circumstances into the question confuses the issue, and once again seems designed to elicit a particular response that would be favorable to police and security agencies. In the other examples, “timely and efficient” is the problem. Agencies understandably want quicker and easier access to personal information. The Spencer decision has made this access more difficult, but any new law would still ultimately have to contend with Spencer. Government, police, and security agencies seem to be in a state of denial over this, but barring another Supreme Court decision there is no going back to a world where the disclosure of “basic” metadata avoids section 8 of the Charter, or where private companies can voluntarily hand over various kinds of personal information to police without fear of liability.
If the process of getting a court order is more onerous than police would like, because it would be easier to carry out preliminary investigations under a lesser standard, it is not the job of government to find ways to circumvent the courts. If the process takes too long, there are ways to grant the police or the courts more resources to make it more efficient.
There are ways to improve the ability of police to access metadata without violating the Charter, but any changes to the existing disclosure regime need to be accompanied by robust accountability mechanisms. Previous lawful access legislation (Bill C-30) was flawed, but it at least included such accountability measures. In their absence, we only know that in a pre-Spencer world, police and government agencies sought access to Canadian personal information well over a million times a year without a court order, and that a single court order can lead to the secret disclosure of personal information about thousands of Canadians. Police and security agencies have consistently advocated for these powers, but failed to document and disclose how they actually use them. This needs to change, and the fear of disclosing investigative techniques cannot be used to prevent an informed discussion about the appropriateness of these techniques in a democratic society.
Do you consider your basic identifying information identified through BSI (such as name, home address, phone number and email address) to be as private as the contents of your emails? your personal diary? your financial records? your medical records? Why or why not? 
The answer to this question depends on an exhaustive list of what counts as BSI. It is important to have a clear definition of what counts as BSI, because otherwise we might be back in the pre-Spencer postion where police are able to gain warantless access to somebody’s password using powers that were meant for “basic identifying information”.
The answer to this question also depends on an explanation of what is done with this “basic” information. As was recognized in Spencer, we can no longer consider the privacy impact of a piece of personal information in isolation. This is how lawful access advocates prefer to frame the question, but this is not how investigations work in practice. BSI is useful only in combination with other information, and if we are talking about metadata (a term that curiously, never appears in the Green Paper) it is now increasingly-understood that metadata can be far more revealing than the content of a personal communication, when it is used identify people in large datasets, determine relationships between individuals, and patterns of life.
So in short, yes — I am very concerned about BSI disclosures, particularly when I don’t know what counts as BSI, and what is being done with this information.
Do you see a difference between the police having access to your name, home address and phone number, and the police having access to your Internet address, such as your IP address or email address?
I see an enormous difference. As previously discussed, these are not analogous. An IP address is not where you “live” on the internet — it is an identifier that marks interactions carried out through a specific device.

Interception Capability

This is not a question… Yes all of this is true.
Should Canada’s laws help to ensure that consistent interception capabilities are available through domestic communications service provider networks when a court order authorizing interception is granted by the courts?
The key word here is “consistent”, and the question of what standard will be required. It would be very easy for government to impose a standard that large telecom incumbents could meet, but which would be impossible for smaller intermediaries. As things are, the incumbents handle the vast majority of court orders, so I would love to see some recent statistics on problems with ‘less consistent’ intermediaries, particularly if this is a law that might put them out of business.

Encryption

I think the answer to this has to be never. People cannot be forced to divulge their passwords — in our society they can only be put in prison for very long periods of time. In other cases, assisting with decryption means forcing Apple to break through their own security (which was meant to keep even Apple out), or driving companies out of business unless they make products with weak security. This does not work in a world where a single individual can create an encryption app.

How can law enforcement and national security agencies reduce the effectiveness of encryption for individuals and organizations involved in crime or threats to the security of Canada, yet not limit the beneficial uses of encryption by those not involved in illegal activities?

By doing anything other than mandating insecurity for everyone. The answer cannot be to make technology insecure enough for the state to exploit, because this makes everyone insecure, except for those who use good encryption (which has become too commonplace to stamp out).

 

The final two questions deal with data retention, a topic I’ll leave for a later time…

Still sorting out the post-Snowden balance

The ongoing fight between Apple and the FBI, in which a growing number of companies have declared their own interest and support, is the latest constitutive moment for what it means to live in the “post-Snowden” era. This is because the fight is a direct consequence of changes made by Apple following the Snowden disclosures, and because it is now being used as a way to stabilize some sort of “balance” between government and industry, after the massive shake-up of this relationship in late 2013/early 2014. The shift that occurred included major tech companies treating their own government as an adversary to defend against. Now, Apple has reportedly decided that its own engineers must also be part of this threat model. After Snowden, the company decided that it no longer wanted to be able to unlock phones for the government. Now, the challenge is to develop security that the company cannot even help the government break through some indirect means.

The term “post-Snowden” has gotten a lot of use in the last couple of years, but the Apple-FBI battle demonstrates the real shift to which it refers. Perhaps in a few years, the impact of the Snowden disclosures will be forgotten, in much the same way as the crypto war of the 1990s faded from memory as the relationship between industry and government got cosy after 9/11. But the world did change in a variety of substantial ways as a consequence of Edward Snowden’s actions, and we are still grappling with the legacy of those changes.

The Snowden disclosures were a truly international story with many local manifestations. Just as NSA-affiliated surveillance infrastructure had been extended around the globe, scandal touched the various nations implicated in the documents, and opened the door to local investigations. News stories broke one after another, with governments as either targets or practitioners of surveillance. Canada, as a member of the exclusive “Five Eyes” surveillance club, was reminded that it too had an agency with a mandate similar to the NSA (CSEC, now CSE). More clearly than ever, citizens understood that the surveillance infrastructures of intelligence agencies had global reach. Canada hasn’t seen public battles between government and industry like the one currently involving Apple, and discussions of government surveillance have been more muted than in the US, but a series of Snowden-related stories in this country have also fed into long-standing concerns about surveillance and privacy.

I want to spend more time on how the Snowden disclosures impacted Canada in a later post, but for now I’ll just briefly reflect on my own experiences studying the telecom industry during this period.

I began attending meetings of network operators and engineers in 2012. The first of Snowden’s revelations hit in June 2013, and by the fall of 2013, the topic of state surveillance was a regular part of conference conversations and presentations, if not the actual topic of presentations themselves. At the October 2013 NANOG conference, the internet’s North American engineers cheered the resistance of Snowden’s email provider to disclosure demands by the US government (Ladar Levison had built what was meant to be a secure email provider, but the FBI ordered him to hand over the encryption keys. Attendees applauded his efforts to make the FBI’s job as difficult as possible). At the IETF in Vancouver the following month, participants overwhelmingly voted to treat pervasive surveillance by state intelligence agencies as a technical attack on the internet, and debated how to protect against it. At a Canadian industry conference in April 2014, an executive with an incumbent ISP argued that service providers had an opportunity to gain a competitive advantage by offering better security, and showed a photo of Snowden as an answer to the question of why we care about privacy and security. Interestingly, Canadian government agencies reportedly joined Canadian companies in touting the country’s privacy and security advantages to customers concerned by surveillance in the US.

After Snowden, corporate management and operational decisions took time to shift, but the change in discussions and governance forums was more immediate. It wasn’t just that private intermediaries suddenly had a new threat to worry about, but that the nature of their role, and their relationship to their users/customers had changed. Snowden’s revelations included the fact that the NSA had been undermining the very internet infrastructure that the agency had been tasked with protecting, but also the suggestion that it had done so with intermediaries acting as private partners. Best exemplified by early reports of the PRISM program, some intermediaries were now seen as complicit in this global spying apparatus. As a consequence, companies began limiting cooperation with government agencies and issuing transparency reports about the nature and extent of their information disclosures.

The Snowden disclosures contributed to cynicism and distrust of both government and private industry, and trust is key for companies that have built a business model around securing personal information. Companies such as Apple are positioning themselves as trusted stewards of personal information, with the recognition that customers often do not trust government assurances that they will only access such data in limited and justified circumstances. The most recent moves by Apple are an attempt to move data even further out of the reach of these providers themselves. Such an approach will not be possible for companies that depend on access to this data as part of their business model (for advertising purposes), but for those selling hardware and online services, building walls against governments is now often more desirable than negotiating access.

From one perspective, the Apple-FBI fight is about setting a precedent for government power in the post-Snowden era. But I would say that it is an indicator of a loss of government power, a shift in the orientation of the US tech industry to the state, and one of the continuing consequences of Snowden’s decision to shake up the world.

Telecom Companies as Privacy Custodians (Rogers and Telus tower dumps)

Yesterday, Justice Sproat of the Ontario Superior Court released a decision in a case involving Rogers, TELUS, and the Peel Regional Police. Back in 2014, the police force had requested “tower dump” data from these companies in order to identify some robbery suspects. The orders were so broad (the broadest ever, to the knowledge of the TELUS deponent) that the telecom companies opposed them in court. Despite the fact that the production orders were then withdrawn by police, the judge heard the case anyhow, and was able to offer guidance for police and telecom companies dealing with similar cases in the future.

David Fraser has provided a legal analysis of the decision, which found that “the Production Orders were overly broad and that they infringed s. 8 of the Charter” [42]. For me the most interesting aspects are what this decision tells us about the roles and responsibilities of intermediaries as privacy custodians. The decision states (on the issue of whether the companies have standing in the case) that Rogers and TELUS “are contractually obligated” to “assert the privacy interests of their subscribers” [38]. That is to say, the relationship these companies have with their customers creates obligations to protect subscriber information, and this protection includes defending subscribers against unconstitutional court orders. It is not reasonable to expect individual subscribers to defend their privacy interests in such cases — the intermediary should stand between the individual and the state as a privacy custodian (and this means making determinations about which police requests and court orders are unconstitutional).

Also of particular interest is the judge’s recommendation that police should request “a report based on specified data instead of a request for the underlying data itself”, unless this “underlying data” is required for some reason [65]. This means that instead of asking companies such as Rogers and TELUS for the personal information of tens of thousands of subscribers, so that the police can determine which subscribers to investigate further (presumably those in the proximity of more than one crime scene), the telecom companies could do this work themselves, and disclose only the information of subscribers that meet particular criteria. In effect, this type of practice would require and entrust intermediaries to do as much of the initial investigatory work as possible, handing over only the information that police need to proceed further. This particular guideline is meant to limit the privacy impact of such disclosures, since the judge notes that personal information in the hands of police can be vulnerable to being “hacked” [20], and that police in possession of such data are not subject to conditions on data retention [59-60].

For me, the unanswered question is: why Rogers and TELUS? There are larger players than TELUS in Ontario, but this is a company that has pushed back before against such overreach. If the police had no idea who the suspects or their mobile providers were, did they obtain production orders for all mobile providers, and only Rogers and TELUS pushed back? If so, did other companies fail their customers as privacy custodians by not opposing such orders?