Sunday, December 4, 2011

Omnibus Letter: 3 of 3

A few weeks ago the Conservatives made public their decision to delay reintroducing lawful access legislation. It was supposed to be part of the Omnibus Crime Bill, now called the Safe Streets and Communities Act, I believe this is the right decision. Including it in the omnibus bill would have risked stifling an important conversation. The fact is that this legislation requires time for careful study and discussion. The decision by Conservatives to delay it is the responsible one and I'm pleased to see it.

Regardless, lawful access is coming. The statement in the house, that there is no plan for warrantless tapping of digital communications, is nothing new. It was never in any of the bills and the need to refute it is more of a sign of confusion than a policy change. It highlights a problem of the sensationalist treatment of lawful access. Michael Geist recently complained that much of the discussion "...doesn't involve the real lawful access." I agree with him, but want to go further and explain it. Lawful access is not about warrantless tapping of your communications (at least not in Canada). While monitoring capabilities will be required, access to that data will be granted through a warrant system with a degree of streamlining. Warrantless access was only to be mandated for customer account information, such as:
- name
- address
- contact numbers
- email addresses
- IP and other electronic addresses

I would hope that readers of this blog will not have carried this confusion, as I have done my part to be clear (if you listened to the past Slightly Sauced interview, I made a point of bringing this up).  However, it may beg the question, "if it's not about warrantless digital wiretapping, then why should I care?" I answered this to a large degree in discussing IP and MAC addresses in the last letter. However, there is another, more commonly understood electronic address: the email address.

Email addresses are an essential tool for communication on the Internet. They were the first means of contact and are still required for registration for the vast majority of popular sites and services, including those that subvert email by allowing private messaging (social networking sites or VoIP accounts). Due to their pervasiveness, it is common to find an individual with multiple accounts for multiple purposes. Those accounts, when known to others, allow the individual to be tracked on  multiple technologies. Using an email account of a friend, you can find them on Facebook, Twitter, and so on. That makes email addresses uniquely powerful tools in the hunt for information about the individual. Reading the emails themselves is completely unnecessary, for if they have a Facebook account and you have their email address, you already know what activities they enjoy and who they associate with. They may even post notes to invite you deeper in their psychology and rationalization. Indeed, they may be doing so under the guise of anonymity; they may think that no one else knows who they are because it’s not their real name posted, or their real address, or their real phone number. Unfortunately for them none of this matters if you know their email address. They may use privacy features to control public knowledge of their profile, but a friend request can always be sent and is typically responded to positively. Many do not restrict their online profile “friends” to just those individuals that they know in person, or more importantly, to whom they know at all. Perhaps it was in part for these reasons that Charlie Angus wrote of former bill C-52, which allows for disclosure of electronic addresses including email addresses, that:

This will allow law enforcement to identify individuals involved in a striking array of online activity including anonymous political opinions made in blog posts or newspaper comments, location data posted online from a smart phone, social networking activity, private online instant message or email exchanges…[i]

Some email accounts are used publicly, handed out like leaflets or for signing up for deals on products, while others are kept only for the closest of friends. A decision to disclose all appears to fail to account for this reality and results in probable overreach.

Mandating the capability of monitoring individual and multiple communication sessions could cost millions. Where this money comes from is not detailed in the bills. Additionally, background checks will be required of some employees, so that they can respond to the requests of Law Enforcement Agencies LEAs. The background checks are a good idea, but they demonstrate the degree to which this will likely affect the workforce at the ISPs and carriers. Those organizations are furthermore required to respond to testing requests put forth by LEAs.

A major concern here is one of competition in the marketplace. Currently, Canadians pay extraordinary fees for the services that they receive. This is true both for cellular and in-home digital communications. While it is true that this kind of surveillance technology may be highly useful for LEAs, without any clause stating where the funds will come from to pay for these technologies, one is left to conclude it will be the consumer. Alternatively, if the telecom companies end up covering the costs independently, this will have a much more significant impact on smaller ISPs than on larger ones.  In a country where just two players provide the majority of our digital services, it is imperative that legislation acknowledges and encourages a vibrant competitive atmosphere. This acknowledgement and encouragement is not apparent in former bill C-52. The language in former C-52 which does address this issue reads unclearly to me.

The effectiveness of these technologies will be left up to the scrutiny of the LEAs. This is concerning because no public details about the information contained in these transmissions will be made available. For example, will encrypted communications be unencrypted? Will attempts be made to subvert HTTPS or others that consumers rely on for ensuring the privacy and authenticity of their communications? No details are apparent in the former bills, though accounting for such questions seems prudent. This is both because of the effect it will have on private communications, as well as being informative for how effective the measures taken will be in gathering evidence on criminals.

Proposal for Action

First and foremost, CSIS, the RCMP, and police services should demonstrate why each of them needs access to this capability. In particular, empirical evidence should be expected to demonstrate areas where these organizations have been blocked and where they have been forced to fail in performing their duties.  We entrust great powers to our LEAs, we do so because we see that power as a necessity for the safety of our communities. That trust requires integrity. If LEAs do prove, individually, that their work cannot be done through their current powers, then I have no qualms in providing some new powers. However, if these powers are awarded without reasonable constraint or without empirical justification that demonstrates their necessity, then citizens trust is compromised. The rationale for these new powers over individual citizens rights is absolutely essential for a healthy relationship between law enforcement and the citizenry.

While I acknowledge that Stephen Harper views the majority government as a mandate to move forward with this legislation, all of the above has been written with the knowledge that no lawful access legislation has yet been put to the house. So, it stands to reason that modifications are possible where reasonable. With the degree of public concern, including petitions and a great deal of writing on this subject by major players in the industry and in academia, it would seem reasonable to separate this into its own category.  Now that this has been done, what should be discussed in that time? What amendments should be examined?

Court oversight should be seen as a necessity for the linking of individuals to devices (or vice-versa) unless emergency circumstances can be established and proven. Additionally, the term “emergency” within this context should be well defined. No department or organization should be exempt from this.

Detailed records must be made of the activity and passed on to privacy commissioners or ombudspersons. This appears to have already been addressed within the bill, but its important to note that these individuals responsible for privacy – the aforementioned commissioners or ombudspersons – must be  granted the capability of performing the oversight. They must have the staff, legal capacity, and technological resources with which to hold to account those who infringe on the privacy of the citizen. As the commissioners and ombudspersons have themselves stated, there are significant concerns regarding current capabilities to handle the influx of new details received as a result of these bills. Furthermore, and again by their own admission, it would appear highly unlikely that a reliance on the current provisions of section 18 in the Privacy Act would be sufficient.  It is crucial that those appointed to protect the privacy of Canadian citizens must be enabled to appropriately address privacy infringements.

Concerns and recommendations of other bodies that I endorse include those written in a communication from the Office of the Privacy Commissioner of Canada, dated the 9th of March, 2011. Entitled Letter to Public Safety Canada from Canada’s Privacy Commissioners and Ombudspersons on the current ‘Lawful Access’ proposals, it lays out a number of points, some of which I reiterate below, and all of which I support. In addition, the concerns of Open Media and those listed at should be brought in – preferably allowing them to testify before the committees associated with the bills. While it is my impression that these concerns are somewhat overstated, it is evident that many Canadians are extremely concerned. No better case than public concern could be made for a diligent review of the legislation. With the legislation now separated from the more general crime bill, I am hopeful that this what we will see. It also gives me hope to see the kind of interaction and access which Open Media has been successful at obtaining to sitting MPs from all parties.

For the past decade, infringements on privacy have become more and more commonplace. We have seen this from both governments and corporations. We have also seen individual citizens willingly giving up their personal information on a scale that is new. This relationship between the individual and privacy has changed. However, it is important to recognize the nuance with which this has been done. Disclosure to one group does not implicate disclosure to all. Many of the arguments in favor of disclosure of personally identifying information confuse this. It is an error of thinking in terms of all or nothing.

Privacy is not a privilege. However, to ensure the protection of the group concessions to allow access to individual’s information have been made. To ensure that abuses do not occur court oversight has been required.  This court oversight is the sole (currently rarely required) proactive check for disclosure by telecommunication companies. This balance, between public good and individual rights is what is being questioned here. Yet, I believe there are ways of providing reasonable oversight and protections for citizens so that they don’t have to relinquish rights. If there is a middle way, one that doesn’t facilitate unjustified infringements of individual privacy. Why not embrace it?

I want to be clear, I am not against LEAs having access to communications or PII. To me it is obvious that this is a requirement for investigation. It would not be appropriate to deny LEAs access to information if it is considered vital.
However, vital information is frequently private. If it is important, then access can be justified. If it is unimportant, than why ask for it? Court oversight ensures that we can determine which is which.

Costs of new systems to provide LEAs access need review. The current Omnibus Crime Bill (not including the lawful access) is already summoning up significant concerns regarding its expense. If we add a re-working of telecommunications networks then a variety of costing questions are interjected. The alternative is to require investment by the companies, or share it. A solution to this problem must be found.
Decisions about privacy are never easy. Privacy is one of the most nuanced concepts. As a right, this makes responsible treatment difficult. Scoping is a serious issue and one that scholars and judges have been wrestling with for centuries. However, as Daneil J. Solove has drawn to our attention, if we focus on the potential problems and issues that could come out of a decision, like potential abuses or the chilling of social interactions, then we can find compensating controls.

Comprehensive checks and balances are the foundation of a responsible organization. They help ensure integrity, which is a pre-requisite for trust. For individuals to trust their government and law enforcement is essential for a functioning society. Checks and balances help ensure governmental responsibility and the trust of its populace, who could argue against them?

[i] Michael Geist, Angus on Lawful Access: Serious Erosion of Privacy Rights, June 24 2011,

No comments: