Wednesday, September 14, 2011

Omnibus Letter: 2 of 3

This is the second of a series of three letters to Canadians and the Canadian Government regarding the Omnibus Bill.

The purpose of former bill C-52, as laid out in section 3, was to provide capabilities for law enforcement agencies (LEAs):

…to exercise their authority to intercept communications and to require telecommunications service providers to provide subscriber and other information, without unreasonably impairing the privacy of individ- uals, the provision of telecommunications services to Canadians or the competitiveness of the Canadian telecommunications industry.

Primarily, the concerns that I will lay out, as well as the recommendations, are with areas where the content of the bill appears to contradict the stated purpose of the bill. With that in mind, I hope that the authors of the former bill and future iterations of lawful access legislation will find the concerns in line with their own. It is my belief that a solution can be found to these issues, but that the former version of the legislation requires at least amendment. I also contend that additional justification is required, as well as consultation with various groups which should include privacy officers and academics, so that any issues can be rectified or amended. For due diligence to occur will require time and careful consultation, such that it does not appear the omnibus crime bill will be afforded. Due to this concern, I assert that inclusion of lawful access legislation within the omnibus bill would be a poor decision for Canada and for Canadians.

A Private Association
That which naturally occurs as private can be reasonably expected to remain so and an individual’s connection to digital addresses are no exception. As such, I contend that electronic addresses are private, reaffirm that they are a form of personally identifiable information (PII), and put forth the concern for privacy infringement that section 16 (1) (mandated disclosure) of former bill C-52 generates.

PII includes any piece of information which either on its own, or when combined with other data, can help identify an individual. Addresses, telephone numbers, names, birthdates, postal codes, are all examples of personally identifiable information (PII).

Digital communications occur between devices, devices that are addressed for the purpose of routing the relevant communications. In computers, for example, we have IP addresses and MAC addresses. These addresses identify our computers and their place on the network, much as a street address identifies a house within a city. A variety of other electronic addresses also exist, such as our SIM number (for some cell phone networks) and our email addresses. Just like the addresses written on a piece of mail, these are inspected at intervals and are seen by the routers/switches/networks as the outside of an envelope is seen at a mail-sorting station.

The devices which electronic addresses are associated with can also be traced back to an individual.  An IP address, for example, can typically be associated with an individual computer[1]. If an email account used on that computer can also be determined, then it is possible to associate it with accounts on Facebook/Twitter/etc. to determine user identity. Without oversimplifying, this illustrates the point, as if these associations were not enough to uniquely identify an individual, they could be combined with other PII that collectively would. Electronic addresses, particularly when combined with other digital information, can help determine not just the computer being used, but which individual is using the computer. By virtue of this fact, they are considered PII. The Canadian Government acknowledged this by including them in the Personal Information Protection and Electronic Documents Act (PIPEDA), which sets forth specific requirements for private-sector organizations regarding the storage, use, and destruction of personal information.

Electronic addresses are not simply PII, within our current digital communications they are also private, and typically only revealed to trusted entities or personal associates. Though it is true that source and destination IP addresses associated with data are seen by the network infrastructure when that data is transmitted, that network infrastructure is considered an implicitly trusted entity.  It is simply a technological requirement that these addresses be examined at certain points before they can be passed on, otherwise they would never reach their destination. Of course, this is nothing new, and is quite similar to the way that the paper mail system functions. A letter (data) is received with a destination address (IP). From there, the next destination is determined, which could be a sorting station in some other city (next router), and the mail is forwarded. Canadians accept that this is part of the functional requirements of the system, that Canada Post should be able to check addresses, because otherwise they wouldn’t get any mail. However, along with this, Canadians generally trust that Canada Post will treat this information with a reasonable degree of privacy. Canadians consider mail somewhat sacred, and that is appropriate. Freedom of association implicitly requires freedom from unwarranted observation and most people would have difficulty with the idea of having their mail ruffled through, even if it was just to record the addresses and names on it. It is for these same reasons that electronic addresses are private. The data associated with them is passed from point to point, with trusted intermediates (routers/switches) examining and directing them automatically. This trust is well placed under PIPEDA, which protects these addresses as PII and so ensures a degree of privacy. Furthermore, the inherent privacy in many telecommunications extends beyond that of regular mail. Everyone knows their mailing address, even if it is a proxy (a PO Box, for example) they typically know it by heart.  Whereas the vast majority of individuals do not know what their IP address is, with many not knowing what it is. To add to this, where with a postal address the individual has to move physically and submit paperwork to change it, an IP address can simply change with a restart of some equipment via a protocol called DHCP. All of this means that electronic addresses are not simply PII, but that they are also implicitly private, and even unknown to the owner. 

Section 16(1) of former bill C-52 mandates disclosure of customer records, including electronic addresses and other PII (including names, addresses, phone numbers, device numbers, and others) without court oversight. While section 17 requires this disclosure occur only under exceptional circumstances (belief based on reasonable grounds that there is urgency), section 16 provides no such conditions. While it is acknowledged that these are for differing organizations, there is concern about the legitimacy of the differing treatment.

When Stockwell Day was the Public Safety Minister, he was opposed to warrantless acquisition of information saying, “we are not in any way, shape or form wanting extra powers for police to pursue [information online] without warrants.” More recently, in comments referenced by Lawrence Martin in a Globe and Mail article, he stressed that critics should attempt a degree of restraint until all the details are out. [2] And according to a spokesman for Justice Minister Rob Nicholson, “…while the law has to keep up with technology, there will be privacy safeguards in the bill.”[3] While this is reassuring, strictly speaking there were previously safeguards, and if they stand without amendment then many bodies are concerned they will not go far enough.

Oversight proposed by former bill C-52 includes providing reports by LEAs to privacy officers, but there are concerns about this too: from the privacy commissioners themselves. A letter from the Privacy Commissioners of Canada included complaints that the requirement of oversight by them did not go far enough or provide enough power. In fact, the powers referenced in former bill C-52 already existed in Section 18 of the Privacy Act, with C-52 specifically referencing it and going no further.[4] By their own testimony, the tools available to their offices are not sufficient, they do not have the appropriate resources to counterbalance the removal of court oversight in the previous bills, and no new powers are being granted.

The notion that PII would be made available without court oversight is a significant concern to many Canadians, risking unreasonable infringements on privacy. The Canadian Government has for quite a while supported the position that PII should be considered private. For example, in section 487.013 of the Criminal Code, judicial authorization is a stated requirement for investigators to seek PII.  Also in the Criminal Code, trafficking in such data is considered an offense. 

The reality, that currently LEA requests for PII from telecom companies are practically never denied, is a troubling precedent. It appears this information has been at the telecommunication company’s discretion, while that same discretion is barely used (the CWTA has said it knows of no incidents wherein the police have been unable to gain access to information which they sought). This gives both LEAs and telecommunication companies a perfect score of fully-serviced legitimate requests, which appears dubious (as any perfect score naturally is). Even if this is legitimate, it appears a procedural flaw to have so much PII exchanging hands without court oversight. Telecommunication companies are not staffed by judges, nor are they disinterested third parties who should be making such decisions. A court controlling what information is released appears more desirable; it is part of the purpose of the court to make such decisions. Outside of emergency circumstances such as those described in section 17, which should be subject to strict review, the removal of court oversight is likely to lead to unreasonable infringements on the privacy of Canadians.

It has been suggested that LEAs could use this to catch the more sophisticated criminals, those who are currently avoiding detection. However, using a technique called “spoofing”, an individual can change these addresses. If an “attacker” surfs the web from a coffee shop, for example, the “attacker” will use that shop’s IP address. However, because the IP is associated with a MAC address, it won’t prevent the attacker from being tracked by their MAC address. MAC addresses are coded into the hardware of their computer and network equipment can maintain logs of MAC to IP associations. To change that requires different steps, depending on their operating system, but this can be trivially achieved. A majority of users do not have this level of understanding of the technology, however, and so won’t be inclined to modify these numbers or be cognizant of whether their IP address will be different. So, slightly more sophisticated attackers can modify these addresses and avoid being detected via this method, while the vast majority of casual users will be vulnerable to privacy invasion.

However, it could be argued that most criminals are ignorant or foolish and thus will not use these methods. But if they would not change their addresses via proxies or other methods, then would they properly delete incriminating information from their hard drives? Would they dispose of evidence in a sophisticated manner? When on the Internet, would they use secure channels or encrypted technologies? Would they strip identifying information (including GPS) from pictures? The argument, that criminals are becoming more sophisticated and implementing the above techniques (as well as others) to avoid detection, seems to conflict with the idea that they would forget to change their MAC and use a proxy.  Before legislation is passed, the LEAs should provide some empirical evidence for why current identification techniques are failing and why relying on these somewhat unreliable addresses will be more effective. In a letter from the Office of the Privacy Commissioner of Canada last March, this same concern was related:

It is also noteworthy that at no time have Canadian authorities provided the public with any evidence or reasoning to suggest that CSIS or any other Canadian law enforcement agencies have been frustrated in the performance of their duties as a result of shortcomings attributable to current law, TSPs or the manner in which they operate. New powers should be demonstrably necessary as well as proportionate. Ultimately, even if Canadian authorities can show investigations are being frustrated in a digital environment, all the various powers that would be granted to address these issues must be subject to rigorous, independent oversight.[5]

It is important to note the subtle difference between this retroactive oversight and the proactive warrant system. Any decision to go without court oversight, to go without warrants, drudges up concerns. This is because retroactive accountability, though certainly preferred to an absence of accountability, cannot directly stop an activity from occurring. They are preventative only, more than symbolic and very important, but limited in a fundamental way due to their placement in the process.

The private nature of electronic addresses, reinforced by PIPEDA and the Criminal Code, demonstrates that this and all other PII should be treated as sensitive. Furthermore, any disclosure should require oversight to protect citizens from abuses. This position is both historically and legislatively grounded. To challenge it, significant and high-quality evidence should be brought forth by LEAs. To arrange any modifications as a result, proper time should be devoted to ensure communication between effected parties, to facilitate discovery of any relevant amendments and their implementation in a quality form. 

It has become evident that I am not alone in voicing concern over this issue, so I hope that the above elaboration and iteration of the concerns can assist many with understanding their justification and focus. It is my belief that ensuring popular understanding of such issues is vital to a functioning democracy.

In my next and final letter of the series, I will iterate the remaining concerns of the new monitoring systems within the previous bills, and propose tentative amendments to them.

If you feel strongly about these measures, as I do, then I encourage you to go to and sign their petition.

[1] If the logging is enabled for ARP and a time of use is known, for example, you could associate the two and come up with a specific computer on a specific network. Many home networks only have a single computer, however, which makes this easier.
[3] Laura Payton, August 2011, Internet privacy experts raise concerns over crime bill,
[4] Office of the Privacy Commissioner of Canada, March 2011, Letter to the Public Safety Canada from Canada’s Privacy Commissioners and Ombudspersons on the current ‘Lawful Access’ proposals,
[5] Office of the Privacy Commissioner of Canada, 9 March 2011, Letter to Public Safety Canada from Canada’s Privacy Commissioners and Ombudspersons on the current ‘Lawful Access’ proposals,

No comments: