Thursday, November 01, 2012

A police officer's response to my recent critique of lawful access

You may recall that on September 18, 2012, Detective Constable Warren Bulmer of the Toronto Police Service's Computer and Technology Facilitated Crime group had a guest post: Guest post: A police officer's take on informational privacy and the police in the digital age. He sent me the following response to my recent post Despite police chiefs' representations, lawful access is irretrievably broken, and I have his ok to post it here.

I expect I'll have a response to his post in the next day or so.


I would like to take this opportunity to provide a few points about your post.

To be fair, the role of the Police in any criminal investigation is not just simply to identify the person responsible for the crime but to try to determine the truth about what happened based on evidence. Often in this work, we receive tips or leads that implicate the wrong person especially in the world of the pseudo-anonymous Internet. Technology itself creates challenges by providing the ability to disguise, alter or otherwise mislead any person attempting to validate Internet sourced information. The police have a responsibility to conduct a thorough investigation which is to also eliminate suspects or persons of interests that may have been implicated by a witness. In the digital age more particularly, we see people who have identified themselves by impersonating another or purporting to be someone they are not. Hard to believe that people don’t use their real name when engaging in questionable behaviour online but it’s true.

In many cases, I agree with you a judicially authorized instrument allows the Police to investigate as long as time is not of the essence. The problem with a judicially authorized Production Order is that the company (ISP) cannot return the information for 30-60 days. So in a public safety situation, or if you or one your readers were targeted by Police as a suspect or person of interest and you had been wrongly implicated, you would be waiting for the Police to clear your good name. The process is completely unfair in this regard. I agree that rights need to be protected but it can’t be at the cost of potential injustice caused by investigative delays to benefit the minority (criminals) versus the rights of the masses. Section 15 of the Charter states “every individual is equal before and under the law and has the right to the equal protection and equal benefit of the law… “

The other part of your post which needs to be clarified is this (quote): “…but based on the premise that the police should not be able to require anybody to provide information about an individual in the absence of reasonable grounds to believe that the information either is or will lead to evidence of a crime that has been, is being or will be committed, and the appropriate checks and balances…”. With respect to the context you have placed this passage in, I think your readers may mistakenly draw the conclusion that the Police could use a Production Order (487.012) to stop or prevent a crime from happening.

As you pointed out in your piece, a Production order can be authorized by a Justice of the Peace or Judge but most commonly the former. The judicial officer can only authorize a Production Order for criminal offences under the Code or other Act of Parliament based on reasonable grounds when an offence has been or is suspected to have been committed. Therefore, it cannot be used to prevent a crime that hasn’t happened yet, or is about to happen. The purpose of a Production Order is to provide police with evidence in a non-intrusive way. It was clearly designed to obtain third party records that exist in the hands of third parties and the extent of that search is not carried out by the Police thereby mitigating the invasion of privacy. It does not carry the level of scrutiny a search warrant does.

As you know, a search warrant (487 CCC) can be used in situations where an offence is about to or will be committed however; it is not the appropriate mechanism to obtain these records because a warrant authorizes the Police to carry out the search. Even with an appropriate assistance order (487.02) it is neither practical nor reasonable for Police to walk into Bell, serve a search warrant and start searching through the ISP’s servers. This leaves the conundrum Police currently find themselves in, an inability to clear innocent people of false allegations of wrong-doing in a timely manner and no judicially authorized mechanism to prevent a crime from happening when the Internet is involved. One additional factor at play is where a case dictates that Police need to intervene when a criminal offence hasn’t been or isn’t at the threshold where a situation meets the definition of an offence. The Police require a criminal offence to seek a judicially authorized search unless there is a lawful exemption.

Bill C30 affords the Police lawful access to basic subscriber information, which incidentally is the same information that is sought via a Production Order, when there is a belief outside of a criminal offence that the Police need that information. I would refer your readers to Section 17 of the Bill which states:

17. (1) Any police officer may, orally or in writing, request a telecommunications service provider to provide the officer with the information referred to in subsection 16(1) in the following circumstances:

(a) the officer believes on reasonable grounds that the urgency of the situation is such that the request cannot, with reasonable diligence, be made under that subsection;

(b) the officer believes on reasonable grounds that the information requested is immediately necessary to prevent an unlawful act that would cause serious harm to any person or to property; and

(c) the information directly concerns either the person who would perform the act that is likely to cause the harm or is the victim, or intended victim, of the harm.

The police officer must inform the telecommunications service provider of his or her name, rank, badge number and the agency in which he or she is employed and state that the request is being made in exceptional circumstances and under the authority of this subsection.

(2) The telecommunications service provider must provide the information to the police officer as if the request were made by a designated person under subsection 16(1).

This component would mandate that the Police dictate what constitutes an emergency request based on exigent circumstances not the ISP. As you know, currently the Police make emergency requests and the ISP determines if it meets their version of an emergency. I have heard of numerous incidents where Police have made an emergency request using the ISP’s form and it was denied because they (the ISP) deemed it wasn’t an emergency thereby forcing Police to get a warrant or Production Order and in some cases nothing was obtained because there wasn’t a criminal offence. In those cases, the Police could do nothing and often they were kids or adults alike being mean or nasty to another or worse looking for help on the Internet but there weren’t enough facts to formulate a criminal offence.

Section 17 of the Bill provides the ability for Police to intervene and protect people who may be suicidal perhaps kids who are targets of bullying when it doesn’t meet the threshold of a criminal offence or in identifying someone who says they will blow-up a theatre before they do it. How? By removing the interpretation of a private company as to what constitutes an emergency, harm or unlawful act. If anyone wants a reason as to why this legislation is necessary, it is the “protection” and “prevention” benchmarks available in it that we should be recognizing or enhancing and divert attention away from the enforcement side of the legislation. The Police will always have the authority to ask.

People have and continue to criticize the Police for standing by while dozens of these incidents go under enforced or seemingly ignored. Lawful access provisions like this aren’t the only solution and I am always cognizant of a “police state” but this legislative tool would go a long way to helping Police intervene early-on in cyberbullying cases, for example and may even prevent some suicides or other Internet related life threatening situations. The most important primary duty of a police officer is the preservation of life and that becomes extremely difficult when the Internet is involved. We find it a challenge to help people who are seeking it on a social network when they are using the nicknames of “wolfman” or “crazy cat lady” or “cooldude66”.


Warren Bulmer


Peter J. Hillier, CD, CISSP said...

Detective Constable Bulmer,

It's not the Law Enforcement arms that I worry so much about becoming the enforcers of a Police State as much as the Public Officers, of the Crown, who also have the ability to leverage this legislation, that I worry about. The legislation, as written, is no prescriptive enough and provides far too much room for abuse by everyone.

Peter J. Hillier, CD, CISSP said...
This comment has been removed by the author.
Anonymous said...

My concern about the bill and police access, is that it implies that true anonymity should not be available to any individual or citizen. Law enforcement if required should be able to obtain the identity of an individual if they feel necessary.

For example, if one uses Tor, I2P, Freenet to hide their IP Address should that be allowed? It would hide it completely from law enforcement. I quickly see that once a bill like this is implemented, the bad guys will hide behind a truly anonymous network that is true peer to peer (not a company that can be forced).


John van Gurp said...

So it's no longer so much about pedophiles and terrorism but now more about clearing innocent people of false allegations of wrong-doing in a timely manner?

One of the more troubling aspects of the bill is that agents of the police will have police-like powers to search records. It's a chilling notion that such activities will likely end up being conducted by private corporate interests.

Some police spokespersons are disconcertingly enthusiastic defending this bill as being in the best interests of the public when it appears that it's main purpose is to lift some of our fundamental Charter freedoms and privacy protections.

Unknown said...

I can see a number of substantial issues that we might be able to address without allowing for undue snooping:

If one wants to communicate with a witness, victim or even probable future victim, an ISP can forward communications to a customer, without exposing the customer's contact details. This can be either electronic, by forwarding an email or skype call, or paper-based if regular mail is fast enough. I have used this myself: I sent a third party an email to forward to a person I wished to speak to, and the person then replied directly to me.

In urgent cases, like cyberbullying leading to a person making suicidal comments, we might extend our "good samaritan" laws to allow a police officer or suicide-prevention councillor to make an initial contact through their ISP, even if the victim later chooses to not continue the communication.

These are just the obvious cases: I'm part of a group at the GTA Linux Users' Group that actively researches this and related subjects. My smarter colleagues have far more ideas than these few!

--dave collier-brown

DexSin said...

"kids or adults alike being mean or nasty to another"

Sweet merciful Jesus! By all means, let's shred the Canadian Charter of Rights and Freedoms so that we can mop up the tears of those who have been treated impolitely!

Anonymous said...

Mr Bulmer, you need to read some history to understand how this kind of power has been used against all peoples.