Wednesday, December 20, 2023

How the Grinch Stole Privacy - A Privacylawyer Holiday Special

I also had the oppotunity to talk about this silly take with CBC Information Morning Halifax and Cape Breton. You can listen to the interviews here: Halifax, Cape Breton.

Wednesday, December 13, 2023

Federal Court concludes that a “virtual presence” in Canada is enough to be ordered to assist CSIS

Decision follows trend starting in BC that a virtual presence in Canada is enough to be ordered to produce records

The Federal Court of Canada, in connection with an application for a warrant and an assistance order under the Canadian Security Intelligence Service Act, was required to consider whether an assistance order under s. 22.3(1) of that Act could be issued to order a legal person with no physical presence in Canada to assist CSIS with giving effect to a warrant. The order would have extra-territorial effect.

In a redacted decision, Re Canadian Security Intelligence Service Act (Can), the court concluded that it can, provided that the subject of the assistance order has a “virtual presence” in Canada. The decision notes that the foreign company involved was willing to assist, but needed to see a court order to manage their possible legal liability:

[3]       The affiant explained that [REDACTED] is incorporated and headquartered in [REDACTED] does not have physical offices or employees in Canada. It has a virtual presence in Canada that consists of [_some physical presence in Canada_]. It solicits business from Canadians and [REDACTED].


[4]       The affiant also explained that [REDACTED] has been fully cooperative in providing assistance to CSIS to date, but has advised CSIS that it requires a judicial authorization from a Canadian court to minimize its legal risk in the event that CSIS uses the collected intelligence beyond analysis; [REDACTED]. [REDACTED] advised that it would continue to be cooperative pending and upon receipt of an Assistance Order.

The company’s willingness to comply wasn’t particularly material to the Court’s decision.

At the urging of the government and largely supported by a court-appointed amicus, the Court followed a trend of cases that have dealt with similar questions but involving production orders under the Criminal Code. The first of these cases is British Columbia (Attorney General) v. Brecknell, where the Royal Canadian Mounted Police were seeking to obtain a production order naming Craigslist. As with this CSIS case, Craigslist said they’d cooperate but needed to see a court order. The British Columbia Court of Appeal, influenced by the Equustek case from the Supreme  Court of Canada, concluded that a court has jurisdiction to issue a production order naming an entity physically beyond the court’s jurisdiction provided they had a “virtual presence” within the jurisdiction.

The Court concluded:

[49]     I find that the jurisprudence in the context of production orders issued pursuant to section 487.014 of the Criminal Code provides a good analogy and support for finding that this Court has the jurisdiction to issue an Assistance Order where in personam jurisdiction can be established. The two provisions are similar in purpose, albeit in different contexts, both are directed to a person, which includes an organization or entity that is a legal person, and similar considerations arise in determining whether the order should be issued where the subject has only a virtual presence in Canada.

[50]     The considerations noted by the SCC in Equustek lend further support to taking an approach that reflects the realities of the internet dominated storage and transmission of documents and information. As noted in Brecknell, document control may exist in one jurisdiction, and the documents in another or in several others and “formalistic distinctions” between virtual and physical presence defeat the purpose of the legislation.

[51]     Whether an organization or entity with only a virtual presence in Canada can establish a real and substantial connection with Canada sufficient to constitute presence in Canada will be a case-by-case determination. Where such in personam jurisdiction is established, the organization or entity that is subject to the Assistance Order and required to provide documents in their possession or control is considered to be in Canada although the documents may be stored elsewhere.

As with a number of the cases following Brecknell, the Court concluded that its ability to issue the order does not turn on whether it would be able to enforce the order, though that is a relevant consideration:

[53]      I have considered the issue of enforcement of the Assistance Order on [REDACTED]. I note that they have been cooperative to date and indicate their ongoing intention to cooperate. However, I also agree with the submissions of the AGC and amicus and the jurisprudence, that the enforcement of the Order is a separate issue from whether the Court has jurisdiction to issue the Order, but remains a relevant consideration with respect to whether the Order should be issued based on the particular circumstances.

Consistent with the previous production order cases cited, the intended recipient was not a party to the hearing. All were ex parte, but some included amici.

Note: I believe that Brecknell was wrongly-decided, but because all of these orders have not been ex parte and unopposed, it'll be some time before these arguments will be made in court.   See: David T Fraser, "British Columbia (Attorney General) v. Brecknell", Case Comment, (2020) 18:1 CJLT 135.

Sunday, December 03, 2023

Being on the receiving end of a warrant from the Canadian Security Intelligence Service (CSIS)

So someone from CSIS just called ….

There’s a first time for everything. You get a call from an “UNKNOWN NUMBER” and the caller says they work with Public Safety Canada and they’re looking for some information. This happens from time to time at universities, colleges, telecoms, internet-based businesses and others. Likely, they actually work for the Canadian Security Intelligence Service (known as CSIS) and they’re doing an investigation. 

So what happens – or should happen – next? You should ask them what they’re looking for and what is their lawful authority. Get their contact information and then you should call a lawyer who has dealt with this sort of situation before. 

CSIS is an unusual entity. They’re not a traditional law enforcement agency. While they can also get warrants (more about that later), they have a very different mission. The mandate of CSIS is to 

  • investigate activities suspected of constituting threats to the security of Canada (espionage/sabotage, foreign interference, terrorism, subversion of Canadian democracy);

  • take measures to reduce these threats;

  • provide security assessments on individuals who require access to sensitive government information or sensitive sites;

  • provide security advice relevant to the Citizenship Act or the Immigration and Refugee Protection Act; and

  • collect foreign intelligence within Canada at the request of the Minister of Foreign Affairs or the Minister of National Defence.

To carry out this mandate, CSIS may seek and obtain warrants. But they are unlike any warrant or production order you may see handed to you by a cop. CSIS warrants are more complicated to understand and possibly comply with than the more traditional law enforcement variety.

Canadians are often surprised to discover that we have a court that meets in secret, in a virtual bunker and hears applications for TOP SECRET warrants. These warrants can authorize “the persons to whom it is directed to intercept any communication or obtain any information, record, document or thing and, for that purpose, (a) to enter any place or open or obtain access to any thing; (b) to search for, remove or return, or examine, take extracts from or make copies of or record in any other manner the information, record, document or thing; or (c) to install, maintain or remove any thing.” These warrants can be accompanied by an assistance order, directing a person to assist with giving effect to a warrant. 

A problem for third parties with these warrants is that they can be long-term and very open ended. The name of the target of the investigation may be unknown at the time the warrant was obtained, and the warrant may authorize the collection of data related to that unknown person. It can authorize the collection of information about people who are in contact with that unknown person. It may authorize the collection of additional information related to those persons, such as IP addresses, email addresses, communications and even real-time interception of communications. Once the unknown person has been identified by CSIS (by name, an account identifier, online handle, etc.), they will seek to obtain further information. But the warrant itself likely does not name the person or any account identifiers so that the custodian of information cannot easily connect the request to a particular information. And the recipient of the demand must be confident that they are authorized to disclose the requested information, otherwise they would be in violation of privacy laws. 

To complicate things further, because these warrants are generally secret, CSIS is not willing to provide a copy of the complete warrant to a third party from whom they are seeking data. They will generally permit you to look at a redacted version of the warrant but will not let you keep it. Diligent organizations that know they can only disclose personal information if it is authorized and permitted by law, and they have a duty to ensure that they disclose only the responsive  information. To do otherwise risks violating applicable privacy laws. Organizations should also document all aspects of the interaction and disclosure, which is a problem if you can’t get a copy of the warrant. Over time, procedures have been developed by CSIS and third party organizations to address this. 

While all of this may be TOP SECRET, nothing precludes a recipient of a warrant or an assistance order from seeking legal advice on how to properly and lawfully respond. Anyone dealing with such a situation should seek experienced legal advice. 

In just the past few weeks, the Government of Canada launched a consultation on possible reforms to the CSIS Act, mainly under the banner of protecting Canadian democracy against foreign interference. Of course, changes to the statute will affect other aspects of their mission. The consultation is broadly organized under five “issues”, and it’s Issue #2 that is the most relevant to this discussion.

Issue #2: Whether to implement new judicial authorization authorities tailored to the level of intrusiveness of the techniques

Essentially, what they’re proposing is a form of production order similar to what we have in the Criminal Code of Canada. Such an order would still be subject to court approval and could compel a third party to produce information “where CSIS has reasonable grounds to believe that the production of the information is likely to yield information of importance that is likely to assist CSIS in carrying out its duties and functions.” Examples they give are basic subscriber information, call detail records, or transaction records. These would be much more targeted and, in my view, much easier for the custodian of the information to evaluate and respond to. A production order would authorize CSIS to obtain the basic subscriber information of a named person or known account identifier. Under the current warrant authority, those specific people may be unknown at the time the warrant was issued but are still within the ambit of the warrant. Presumably a CSIS production order can be served in the usual way as a criminal code production order and the company can keep a copy of it for its records. I’m generally very skeptical about the expansion of intrusive government powers, particularly when much of it takes place outside of OPEN court but in a closed court, but I don’t see this as an expansion. CSIS can be given this ability, supervised by the court, to streamline its existing authorities. They would need to be very careful if they were to purport to give it extraterritorial effect, since that would likely be very offensive to comity and the sovereignty of other countries. And intelligence collection is generally more offensive and aggressive than investigating ordinary crime. It may specifically be illegal under foreign law for the company to provide data in response to such an order. And I think the order should, like a criminal code production order, explicitly give the recipient the right to challenge it. So that’s the current situation with CSIS investigations, at least from a service provider’s point of view, and a hint at what’s to come. Again, if you find yourself in the uncomfortable and unfamiliar situation of taking a call from “public safety” or CSIS, reach out to get experienced legal advice from a lawyer who has been through the process before.