Saturday, August 29, 2015

Canadian Police Chiefs looking to resurrect warrant-less access to telecom users' data

The Canadian Association of Chiefs of Police, at their annual conference, just passed a resolution looking to resurrect the lawful access debate following R. v. Spencer.

I find it puzzling. They are looking for warrantless access to customer data (which they call BSI, or basic subscriber information) where there is no expectation of privacy, while the Supreme Court of Canada said that there is a reasonable expectation of privacy in basic subscriber information. Their resolution (reproduced below), refers to recent caselaw that follows old pre-Spencer decisions that say there is no expectation of privacy in customer name and address connected to a telephone number. The resolution also refers to options being considered by a federal, provincial and territorial cybercrime working group to provide warrantless access to BSI.

Let me get this straight: they want warrantless access to BSI where there is no expectation of privacy, while the Supreme Court has said there is an expectation of privacy in BSI. So what's left of the categories of BSI where there is no expectation of privacy?

A few things are clear to me, which make this resolution and the apparent efforts to circumvent the warrant process very problematic.

  • The Supreme Court said there is a reasonable expectation of privacy in BSI, at least in the internet context;
  • The CACP and law enforcement generally have consistently said -- contrary to what the Court found in Spencer -- that there is never an expectation of privacy in BSI;
  • You can't trust law enforcement to determine whether an expectation of privacy exists.

I recognize that BSI is often critical to investigations, but it can't be a free for all where the police get access to it without an impartial judicial officer determining, on sworn evidence, that the balance between privacy and public safety is in favour of public safety. The inexorable conclusion is that the only solution to this is to make the warrant and production order process more efficient and streamlined.

Justin Ling did a great article on this for the CBA's National Magazine: National | Accessing subscriber data: Working around the Spencer ruling.

Resolution #03 - 2015

REASONABLE LAW TO ADDRESS IMPACT OF SUPREME COURT OF CANADA DECISION R. v SPENCER, 2014, SCC 43

Submitted by the E-Crimes Committee

WHEREAS law enforcement requires real-time, or near real-time access to basic subscriber (customer name and address) information (BSI) as it relates to telecommunications’ customers for investigative reasons, and;

WHEREAS the Supreme Court of Canada, in their majority decision in R. v Spencer, 2014 SCC 43, did state that:

  • a reasonable expectation of privacy exists in the identity of an internet subscriber where there is an ability to link that identity to specific online activity;

  • the identity of a person linked to their use of the Internet must be recognized as giving rise to a privacy interest beyond that inherent in the person’s name address and telephone number found in the subscriber information;

  • absent an exigent circumstance, or authority from a reasonable law, such as authority from a judicial warrant or order, police do not have the power to conduct a search for basic subscriber information (BSI) when there exists a reasonable expectation of privacy in that information, and;

WHEREAS since the Spencer decision, the telecommunications companies refuse to provide any basic subscriber information (BSI) in the absence of an exigent circumstance, or a judicial warrant or order, even where there exists no reasonable expectation of privacy, and;

WHEREAS there exists no lawful authority designed specifically to require the provision of basic subscriber information, and the problems posed by this gap in the law are particularly acute where there exists no reasonable expectation of privacy in that information.

THEREFORE BE IT RESOLVED that the Canadian Association of Chiefs of Police supports the creation of a reasonable law designed to specifically provide law enforcement the ability to obtain, in real-time or near real-time, basic subscriber information (BSI) from telecommunications providers.

REASONABLE LAW TO ADDRESS IMPACT OF SUPREME COURT OF CANADA DECISION R. v SPENCER, 2014, SCC 43

Background

In June 2014, the Supreme Court of Canada issued a decision in the case of R v. Spencer - identifying that subscriber information that allows for the linking of the identity of a person with specific online activity in the context of a criminal investigation engages a high level of informational privacy. However, telecommunications and other service providers (e.g. financial institutions, rental companies) have interpreted the court's findings more broadly, and now demand judicial authorization (based on a reasonable grounds to believe threshold) for nearly all types of government requests for basic identifying information, extending beyond instances involving a person's substantive Internet activity.

The impact of the Spencer ruling and the broader response by telecommunications and other service providers is having a significant impact on law enforcement and criminal investigations. Basic identifying information is often required at the onset of an investigation where technology plays a role, but the judicial threshold required to obtain warrants and general production orders to access basic identifying information is difficult, and often impossible, to satisfy when an investigation is in its early stages.

Moreover, the impact of the Spencer ruling has caused substantial resource and workload challenges for law enforcement. For example, prior to the Spencer ruling, law enforcement agencies would generally complete a voluntary request to telecommunications service providers for basic identifying information in under an hour, and receive a response from service providers within the same day. Following the Spencer ruling, accessing the same information now often requires ten to twenty times the amount of administrative work and documentation, days of preparation to seek judicial authorization, and responses from service providers can take upwards of one month - sometimes exceeding a service provider's data retention schedule for the same information (meaning the information is no longer available).

Criminal investigations impacted by the Spencer ruling are now often delayed and in some cases, not pursued, due to judicial authorization or resource challenges. This impact applies to a range of investigative work, such as cases involving suspected online child sexual exploitation and abuse, fraud and other financially-motivated crimes, organized crime, requests for international law enforcement assistance, and national security matters involving suspected extremism and other threats to Canada - all of which may require basic identifying information from a telecommunications or other service provider to identify potential evidence for criminal investigations and prosecutions.

Transparency Guidelines

Transparency Reporting Guidelines were prepared by Industry Canada, in consultation with RCMP and other relevant Government of Canada partners, to help private organizations be open with their customers, regarding the management and sharing of their personal information with government, while respecting the work of law enforcement, national security agencies, and regulatory authorities. Specifically, the Guidelines cover categories of disclosures for reporting purposes and limitations to consider when reporting statistics. Of note, the Guidelines specify that there should be a six month delay in reporting timeframe to ensure that most active investigations have no possibility of being compromised. On June 30, 2015, the Transparency Reporting Guidelines were published on Industry Canada’s website:

http://www.ic.gc.ca/eic/site/smt-gst.nsf/eng/sf11057.html

Coordinating Committee of Senior Officials

Recently, a discussion paper, led by Justice, was presented to the Federal, Provincial and Territorial Coordinating Committee of Senior Officials, Cybercrime Working Group. The paper focuses on the impact of Spencer and legislative reform considerations.

Option 1: Create an administrative (non-judicial) scheme for access to Basic Subscriber Information (BSI).

Option 2: Create a new judicial order (production order) for basic subscriber information and/or add BSI to existing production orders.

Option 3: Create a specific production order for some types of basic subscriber information with a greater expectation of privacy, and create a specific administrative (non-judicial) authority for access to other types of basic subscriber information.

Recent Case Law

  • Since the Supreme Court of Canada released its decision in R. v. Spencer in June 2014, case law has started to emerge that applies the analysis in Spencer to other cases involving police requests for BSI.

  • The majority of relevant cases thus far are from Ontario and involve requests for BSI associated to a phone number. The cases have generally found that the privacy interests in BSI associated to a phone number are not the same as the privacy interests in BSI linked to an IP address, and distinguish Spencer on that basis. As such, the Ontario decisions have upheld warrantless requests for BSI associated to phone numbers as they found in the circumstances of each case that there was no expectation of privacy in such information. See: R. v. Morrison (unreported, Ontario Court of Justice, Reasons released on December 17, 2014); R. v. Khan (2014 ONSC 5664); R. v. Latiff (2015 ONSC 1580); R. v. Nurse and Plummer (2014 ONSC 6004).

  • The issue of whether there is a reasonable expectation of privacy in BSI associated to a phone number has also emerged in the context of transmission data recorders warrants (TDRW). These warrants provide judicial authorization to record incoming and outgoing dialed phone numbers. In Ontario, police/Crowns have argued before the Superior Court of Justice that an assistance order is the proper authorization to obtain in conjunction with a TDRW to compel a service provider to provide the BSI associated with the dialed numbers. However, Telus has argued that due to the privacy interests in BSI, as found in Spencer, a general warrant is the proper authorization. Nordheimer J. agreed with the police/Crown and held that Spencer was a decision dealing with the Internet and it did not find that there is always a reasonable expectation of privacy in BSI, but rather it will depend on the circumstances of each case. This is a very recent decision (June 19, 2015), and it will be interesting to see if other jurisdictions follow this reasoning. See H.M.Q. v. TELUS Communications Company, 2015 ONSC 3964.

REASONABLE LAW TO ADDRESS IMPACT OF SUPREME COURT OF CANADA DECISION R. v SPENCER, 2014, SCC 43

Action Plan

The CACP Law Amendments Committee will work with the E Crime Committee to develop new legislation that supports the creation of a reasonable law designed to specifically provide law enforcement the ability to obtain, in real-time or near real-time, BSI from telecommunications providers.

The Committee will keep abreast of the ongoing work of the F/P/T Coordinating Committee of Senior Officials, Cyber crime Working Group who is leading the policy development of legislative reform considerations; next meeting schedule in November, 2015.

Requirement to develop an overall government-wide approach to ensure law does not run counter to government objectives or would require major modifications in the future.

1 comment:

DJM said...

Bruce Schneier points to an Australian journalists exploration of how much can be gleaned from metadata. Police really should need a warrant for this level of tracking.