On June 3, the new Canadian government tabled Bill C-2 in Parliament, called “An Act respecting certain measures relating to the security of the border between Canada and the United States and respecting other related security measures” but with a short title of “Strong Borders Act”.
As the name implies, it’s mostly about border measures, customs stuff, fentanyl and immigration. But once again, following in the footsteps of past conservative and liberal governments, it contains a trojan horse that revives what has come to be known as “Lawful Access”. The Bill contains a number of search, seizure and surveillance measures that have nothing to do with the border or fentanyl. In the past, governments have tried to introduce similar measures under the guise of fighting terrorism, child abusers and cyberbullies. Now it’s apparently border security.
I’m really getting tired of these sorts of bills and for a brief moment, I was hopeful that this new government would take a different route. Apparently not. I am completely confident that the lawful access provisions of his bill have been sitting in a drawer at the Department of Public Safety, desperately waiting for an opportunity to put it in a slightly relevant bill. Sigh.
For now, I’m going to focus on Part 14 of Bill C-2 which amends the Criminal Code in a bunch of ways. Part 15 creates a whole new law called the “Supporting Authorized Access to Information Act”, which I’ll have to cover in another episode.
Part 14 creates a new police order or “information demand”, without judicial oversight or control, to require service providers to hand over basic information about customers. It dramatically truncates the response time for production orders and unrealistically gives service providers only five days to challenge a production order. It amends the law to clarify that cops can just ask for information and service providers can just hand it over. It may also permit the cops to use illegally hacked and leaked data in their investigations.
It creates a new production order for subscriber information that police can get with only “reasonable grounds to suspect” an offence has taken place, not the usual “usual grounds to believe” an offence has taken place. And it’s broader than most general production orders I’ve seen for “basic subscriber information”.
The Bill creates a puzzling new warrant that allows a judge to authorize a peace officer or public officer to obtain tracking data or transmission data that relates to any thing that is similar to a thing in relation to which data is authorized to be obtained under the warrant and that is unknown at the time the warrant is issued. So if the cops get a warrant to track a certain thing, and then discover it's related to another thing that can also track the person, they can get data from the second thing. Hmm.
Finally, Part 14 includes a weird judicial authorization to make a request for data from a foreign entity.
The new “information demands”.
This new section 487.0121 of the Criminal Code authorizes a “peace officer or public officer”, without judicial authorization, to make a demand of any person who “provides service to the public” requiring them to provide any of the following information in this list.
Information demand
487.0121 (1) A peace officer or public officer may make a demand in Form 5.0011 to a person who provides services to the public requiring the person to provide, in the form, manner and time specified in the demand, the following information:
(a) whether the person provides or has provided services to any subscriber or client, or to any account or identifier, specified in the form;
(b) if the person provides or has provided services to that subscriber, client, account or identifier,
(i) whether the person possesses or controls any information, including transmission data, in relation to that subscriber, client, account or identifier,
(ii) in the case of services provided in Canada, the province and municipality in which they are or were provided, and
(iii) in the case of services provided outside Canada, the country and municipality in which they are or were provided;
(c) if the person provides services to that subscriber, client, account or identifier, the date on which the person began providing the services;
(d) if the person provided services to that subscriber, client, account or identifier but no longer does so, the period during which the person provided the services;
(e) the name or identifier, if known, of any other person who provides services to the public and who provides or has provided services to that subscriber, client, account or identifier and any other information, if known, referred to in any of paragraphs (b) to (d) in relation to that other person and that subscriber, client, account or identifier; and
(f) if the person is unable to provide any information referred to in paragraphs (a) to (e), a statement to that effect.
Paragraphs (a) and (b) are clearly intended to deal with the situation where the police have a phone number, and want to go to Rogers or Bell and ask “is this number serviced by you”? And if so, where is the service provided and whether they have customer records. That tells them enough information to refer the case to the local police where the customer is. Regularly, the RCMP in Ottawa receive information from a foreign police agency that’s just associated with an IP address. They may know it’s a Rogers IP address, but they don’t know where the potential suspect is. Now Rogers will have to tell them, without a warrant or court order, “yes, that’s our customer and they live in Montreal.” No directly identifying information is supposed to be shared.
I don’t have a big problem with this. I am concerned about paragraph (e), however.
(e) the name or identifier, if known, of any other person who provides services to the public and who provides or has provided services to that subscriber, client, account or identifier and any other information, if known, referred to in any of paragraphs (b) to (d) in relation to that other person and that subscriber, client, account or identifier; and
So if the service provider knows that the customer in question gets services from anyone else, that also has to be disclosed. So if the Eastlink customer has a Hotmail address on file, I think they have to disclose that the person is also a Microsoft customer. What could be more problematic is if a company that supports OAuth logins (like using your Microsoft account to log into other services), this may require disclosing where those logins take place.
The threshold for making such a demand is that they have “reasonable grounds to suspect” (a very low threshold) that (a) an offence has been or will be committed under any Act of Parliament and (b) the information demanded will assist with the investigation of the offence. The peace officer or public officer can impose a non-disclosure order.
The person receiving the order has only 5 days to seek to have the demand varied or revoked, and has to give notice to the peace officer or public officer of its intent to have the demand varied or revoked. Five days is not much, in my view. The threshold for varying or revoking a demand is if “(a) it is unreasonable in the circumstances to require the applicant to provide the information; or (b) provision of the information would disclose information that is privileged or otherwise protected from disclosure by law.” Demands like these seem unlikely to disclose privileged information.
The next significant thing in Part 14 of Bill C-2 is a “production order for subscriber information”. Unlike in previous “lawful access” attempts, this does require judicial authorization, but the threshold is very, very low. It’s just above the police having a “hunch”.
We have a new section 487.0142, which creates a new production order for subscriber information with a very low threshold of simply “reasonable grounds to suspect” that (a) an offence has been or will be committed under the Criminal Code or any other Act of Parliament; and (b) the subscriber information is in the person’s possession or control and will assist in the investigation of the offence.
487.0142 (1) On ex parte application made by a peace officer or public officer, a justice or judge may order a person who provides services to the public to prepare and produce a document containing all the subscriber information that relates to any information, including transmission data, that is specified in the order and that is in their possession or control when they receive the order.
Unlike a General Production Order, this order requires the production of “all the subscriber information” in the recipient’s possession. The General Production Orders that I see on a regular basis name the specific data being sought. These orders are for “all subscriber information”, which is broadly defined:
subscriber information means, in relation to any client of a person who provides services to the public or any subscriber to the services of such a person,
(a) information that the subscriber or client provided to the person in order to receive the services, including their name, pseudonym, address, telephone number and email address;
(b) identifiers assigned to the subscriber or client by the person, including account numbers; and
(c) information relating to the services provided to the subscriber or client, including
(i) the types of services provided,
(ii) the period during which the services were provided, and
(iii) information that identifies the devices, equipment or things used by the subscriber or client in relation to the services. (renseignements relatifs à l’abonné)
Look at (a): it likely also includes billing information. If it’s a paid service, like a cell phone, bank account or credit card information would have been provided when the account was set up. I do not regularly see this in general production orders for subscriber information.
It is worth pointing out that these orders can be obtained to investigate any “offence” in any Act of Parliament. This is not limited to the Criminal Code or the Controlled Drugs and Substances Act or the Customs Act. This includes the Canada National Parks Act.
And I really must emphasise that “reasonable grounds to suspect” is a very low threshold. It is the lowest in our legal system, since our system doesn’t recognize “hunches” or “spidey senses”.
This is in direct response to the Supreme Court of Canada’s decision in R. v. Spencer where the court said that the police can’t just ask for subscriber information, but it must be on the basis of exigent circumstances or in accord with a “reasonable law”. The government clearly thinks this is a “reasonable law” that gets them there.
Next up are Applications for requests of transmission data or subscriber information from a foreign entity.
The new s. 487.0181 is a bit unusual, as it creates a power to authorize a “request” (not an order) directed at a “foreign entity that provides telecommunications service to the public.” The request is approved by a judge on an application by a peace officer or a public officer.
487.0181 (1) On ex parte application made by a peace officer or public officer, a justice or judge may authorize a peace officer or public officer to make a request to a foreign entity that provides telecommunications services to the public to prepare and produce a document containing transmission data or subscriber information that is in the foreign entity’s possession or control when it receives the request.
The request is limited to transmission data or subscriber information.
The threshold for issuing such a request is again “reasonable grounds to suspect that (a) an offence has been or will be committed under this or any other Act of Parliament; and (b) the transmission data or the subscriber information is in the foreign entity’s possession or control and will assist in the investigation of the offence.”
It is really weird. So the police go to a judge to get an authorization to make a non-compulsory request to a foreign entity. Essentially all this does is make sure that the cop swears in front of a judge that they have reasonable grounds to suspect, and the judge concurs with this. But it’s not compulsory.
I expect that this is in response to the controversy surrounding the Breknell case from British Columbia that questioned whether production orders can be issued naming entities physically outside of Canada.
This may also be intended to take account of arrangements like a CLOUD Act agreement, contemplating the inclusion of information that may be necessary under the laws of a foreign state:
Form
(4) The production request is to be in Form 5.00803 and may include any information that is required by the foreign entity, by the foreign state in which the foreign entity is located or under an international agreement or arrangement to which Canada and the foreign state are parties.
Again, these are not court orders, but are issued like a court order. What the cop sends to the foreign service provider is the request, and a copy of the authorization.
I think this will cause a lot of confusion. A large number of non-Canadian service providers will respond to general production orders, particularly where the investigation relates to a person they identify as being in Canada. For some such entities, their privacy policies say they’ll only disclose information where “required by law”, and if they are following PIPEDA with respect to Canadian customer data – as they should – “required by law” is one of the exceptions that allows a disclosure to police. These requests don’t trigger the “required by law” exception in our privacy law. Also, some US service providers require that the thresholds largely align with the American “probable cause” standard. Reasonable grounds to suspect does not meet that threshold.
So cops may think they just have to send a request and the foreign service provider may say that’s not sufficient, we want a production order. So back to the judge.
I note these can be combined with an order of non-disclosure, which is binding at least under Canadian law. Whether it can really bind a foreign company is not clear.
What’s also puzzling is that officials from the government, during the technical briefing on the Bill, said none of our “five eyes partners” (meaning the US, UK, Australia and New Zealand) require an order for police to get subscriber information. That’s not my experience.
Now onto “exigent circumstances”...
Clause 167 of the Bill codifies what I understand to be the common law related to “exigent circumstances.” Just so we’re on the same page: “Exigent circumstances” exist where (a) there is imminent threat to the public or public safety; or (b) a risk of loss or destruction of evidence.”
The Code has generally permitted peace officers to search and seize in “exigent circumstances” if the conditions for obtaining a warrant exist, but exigent circumstances mean it would be impracticable to obtain a warrant. The provision, s. 487.11 of the Code, is being replaced to scope in powers that are available under certain production orders. The underlined portions are what have been added to the existing s. 487.11.
Essentially, this means that a peace officer or public officer may make a demand that has the force of law without a court order where exigent circumstances make seeking the order impracticable.
It is unclear to me whether a demand under (b) would have the same force and effect as a production order for the same data, and whether non-compliance could result in the same penalties.
Bill C-2 amends section 487.0193 to dramatically and problematically truncate the window of time to commence a review to revoke or vary a production order issued under sections 487.014 to 487.018 of the Criminal Code. The new timeframe is FIVE DAYS after the date of the Order. It was previously prior to the deadline referred to in the order, which is generally 30 days.
This is unworkable in my view. I regularly see production orders that were delivered to the service provider days after they were issued. I sometimes interact with cops who already have an order and want to know where to send it. After this amendment, the clock is ticking rather loudly. If a cop gets an order on a Thursday before a long weekend, delivers it on a Friday, it may not come to anyone’s attention until Tuesday. And making a decision to challenge a production order isn’t usually made by the person in corporate security who first review it. It’ll have to go up a chain of command. By the time a decision-maker gets their eyes on it, the window will have closed. And they can’t even make an application unless they get ahold of the cop to tell them that it will be challenged.
In my experience, this will be completely unworkable for most service providers.
For some time, s. 487.0195 of the Code has contained provisions that say a police officer can always ask for information that would otherwise be subject to a production order, and to obtain that information where the person is not prohibited by law from disclosing. Clause 164 Bill C-2 amends this section to add subsections that clarify that this includes data that could be the subject of an information demand under the new section 487.0121.
The section appears intended to provide immunity to a service provider who voluntarily provides information that would otherwise be subject to a production order. So a cop asks a bank or a telco to “voluntarily” provide customer data, and the bank or telco says “sorry, we can’t because privacy laws prohibit it and we’ve agreed with our customers that we’ll only provide data where required by law.” The cop can point to this section and say “so what? They can’t successfully sue you and you have no civil or criminal liability for providing the data”. I’d respond saying that our privacy laws are not about criminal or civil liability, come back with a warrant.
And paragraph (4) says that cops can always use information that is “available to the public.” I’ve heard some raise concerns that this would include data that is publicly leaked via hacking or other nefarious means. So they can go trolling through the Ashley Madison leaks, I guess.
I’ll have to save the deeply Supporting Authorized Access to Information Act for another episode, so stay tuned for that.
Overall, I really hope that the government gets a lot of shaming for putting this trojan horse in the border bill. These expanded law enforcement powers are consequential and deserve to be appropriately discussed and debated. I think that’s why the government decided to go this route, to avoid the huge outcry we’ve seen in the past related to prior lawful access attempts.
No comments:
Post a Comment