Welcome Mat by Bruce Bortin https://flic.kr/p/dZGkk CC BY-NC 2.0

Welcome Mat by Bruce Bortin https://flic.kr/p/dZGkk CC BY-NC 2.0

News

Privacy At Risk: Government Buries Lawful Access Provisions in New Border Bill

The government yesterday introduced the Strong Border Act (Bill C-2), legislation that was promoted as establishing new border measure provisions presumably designed to address U.S. concerns regarding the border. Yet buried toward the end of the bill are lawful access provisions that have nothing to do with the border. Those provisions, which raise the prospect of warrantless access to information about Internet subscribers, establish new global production orders of subscriber information, and envision new levels of access to data held by electronic service providers, mark the latest attempt in a longstanding campaign by Canadian law enforcement for lawful access legislation. Stymied by the Supreme Court of Canada (which has ruled that there is a reasonable expectation of privacy in subscriber data) and by repeated failures to present a compelling evidentiary case for warrantless access, law enforcement has instead tried to frame lawful access as essential to address everything from organized crime to cyber-bullying to (now) border safety. Much like the government’s overreach last year on online harms, Bill C-2 overreaches by including measures on Internet subscriber data that have nothing to do with border safety or security but raise privacy and civil liberties concerns that are bound to spark opposition. This post provides the background on lawful access and an overview of some Bill C-2’s provisions with more details on key elements to come.

Lawful Access Background

The pressure from Canadian law enforcement for access to Internet subscriber data dates back to 1999, when government officials began crafting proposals that included legal powers to access surveillance and subscriber information. What followed were a series of lawful access bills that sparked opposition – both in the public and effectively in the courts. For example, a 2010 lawful access bill included mandated the disclosure of Internet provider customer information, including customer name, address, phone number, email address, Internet protocol address, and a series of device identification numbers without court oversight.

That bill stalled, but in February 2012, then-Public Safety Minister Vic Toews introduced Internet surveillance legislation that once again sparked widespread criticism from across the political spectrum. Toews infamously said to Francis Scarpaleggia, now the Speaker of the House but then a critic of the bill, that he “could stand with us or with the child pornographers.” The comment did not help his case and the overwhelming negative publicity pressured the government to quickly backtrack by placing it on hold.

In 2013, then-Justice Minister Rob Nicholson announced that the bill was dead, confirming “we will not be proceeding with Bill C-30 and any attempts that we will continue to have to modernize the Criminal Code will not contain the measures contained in C-30.” Nicholson’s commitment lasted less than a year. By 2014, Peter MacKay, then the new federal justice minister, unveiled Bill C-13, which was marketed as an effort to crack down on cyber-bullying. Yet the vast majority of the bill brought back many (though not all) lawful access provisions found in the earlier proposal.

The lawful access campaign was effectively derailed for a decade by the Supreme Court of Canada. In the 2014 Spencer decision, the Court ruled that there was a reasonable expectation of privacy in Internet subscriber information:

in the totality of the circumstances of this case, there is a reasonable expectation of privacy in the subscriber information. The disclosure of this information will often amount to the identification of a user with intimate or sensitive activities being carried out online, usually on the understanding that these activities would be anonymous. A request by a police officer that an ISP voluntarily disclose such information amounts to a search.

There were some efforts to revive lawful access, but in 2017 the House of Commons Standing Committee on Public Safety and National Security recommended against introducing reforms:

That at this time, and following the Supreme Court of Canada’s decision in R. v. Spencer, no changes to the lawful access regime for subscriber information and encrypted information be made, but that the House of Commons Standing Committee on Public Safety and National Security continue to study such rapidly evolving technological issues related to cyber security.

Last year, the Supreme Court expanded the privacy safeguards in the Bykovets decision, ruling that “if section 8 of the Charter is to meaningfully protect the online privacy of Canadians in today’s overwhelmingly digital world, it must protect their IP addresses. An IP address is the crucial link between an Internet user and their online activity.” The case is discussed in this Law Bytes podcast episode with Vibert Jack.

This is admittedly a lot of history, but the background is essential to understanding why a 140 page border bill that is the new government’s first substantive piece of legislation includes rules pertaining to Internet subscriber data and access to communications on provider systems. The failed legislation and Supreme Court decisions should have been the end of the lawful access story. But leveraging Prime Minister Mark Carney’s “once-in-a-lifetime” crisis opportunity, it is back yet again, now buried within the border bill.

A more detailed look at the provisions themselves will be the subject of future posts, but the core of the new lawful access approach includes several components, including a new “information demand” power for law enforcement, global production orders, and new rules on access to communications on electronic provider systems.

“Information Demands”

First, the bill creates a new “information demand” for law enforcement that does not require court oversight. This is the government’s response to the Supreme Court decisions as it seeks to carve out warrantless access to information about an Internet subscriber. It states:

487.‍0121 (1) A peace officer or public officer may make a demand in Form 5.‍0011 to a person who provides services to the public requiring the person to provide, in the form, manner and time specified in the demand, the following information:
(a) whether the person provides or has provided services to any subscriber or client, or to any account or identifier, specified in the form;

(b) if the person provides or has provided services to that subscriber, client, account or identifier,
(i) whether the person possesses or controls any information, including transmission data, in relation to that subscriber, client, account or identifier,

(ii) in the case of services provided in Canada, the province and municipality in which they are or were provided, and

(iii) in the case of services provided outside Canada, the country and municipality in which they are or were provided;

(c) if the person provides services to that subscriber, client, account or identifier, the date on which the person began providing the services;

(d) if the person provided services to that subscriber, client, account or identifier but no longer does so, the period during which the person provided the services;

(e) the name or identifier, if known, of any other person who provides services to the public and who provides or has provided services to that subscriber, client, account or identifier and any other information, if known, referred to in any of paragraphs (b) to (d) in relation to that other person and that subscriber, client, account or identifier; and

(f) if the person is unable to provide any information referred to in paragraphs (a) to (e), a statement to that effect.


This does not involve disclosure of the data but rather information on whether the provider has relevant data. The standard for making such a request is only “reasonable grounds to suspect” that

(a) an offence has been or will be committed under this Act or any other Act of Parliament; and

(b) the information that is demanded will assist in the investigation of the offence.


In other words, this covers reasonable grounds to suspect that an offence under any law has been or will be committed. Not only does this go beyond the border, there are no limits to the kinds of offences that are covered given that any of Act of Parliament is included.

From a privacy perspective, the Supreme Court has already ruled that there is a reasonable expectation of privacy in subscriber information and IP addresses, therefore requiring a warrant for disclosure. The government is now trying to target information about a subscriber: are they a subscriber with a particular Internet service and does the provider have data about their use of the service including where and when it was used. It is akin to law enforcement approaching a bank to demand knowing if a particular person is a client and whether there is information about their account transactions but stopping short of asking for the actual account information. There are obvious privacy implications here that is certain to result in a legal challenge should the bill pass in its current form.

Global Production Orders

While the information demand speaks to information about the subscriber, obtaining further subscriber information requires a warrant, except in exigent circumstances. Subscriber information is broadly defined to include:

(a) information that the subscriber or client provided to the person in order to receive the services, including their name, pseudonym, address, telephone number and email address;

(b) identifiers assigned to the subscriber or client by the person, including account numbers; and

(c) information relating to the services provided to the subscriber or client, including
(i) the types of services provided,

(ii) the period during which the services were provided, and

(iii) information that identifies the devices, equipment or things used by the subscriber or client in relation to the services.‍


The warrant process involves a production order on the following conditions:

487.‍0142 (1) On ex parte application made by a peace officer or public officer, a justice or judge may order a person who provides services to the public to prepare and produce a document containing all the subscriber information that relates to any information, including transmission data, that is specified in the order and that is in their possession or control when they receive the order.

(2) Before making the order, the justice or judge must be satisfied by information on oath in Form 5.‍004 that there are reasonable grounds to suspect that
(a) an offence has been or will be committed under this Act or any other Act of Parliament; and

(b) the subscriber information is in the person’s possession or control and will assist in the investigation of the offence.

Once again, reasonable grounds to suspect is the standard and this order may be applied to offence under any Act of Parliament. Note that prior lawful access proposals, such as the Bill C-13 in 2013, included the higher “reasonable ground to believe” standard. In fact, the warrant process may be by-passed altogether and the subscriber data seized in exigent circumstances that make it impractical to obtain a warrant:

(b) seize any subscriber information that may be the subject of an order made under subsection 487.‍0142(1) or any data that may be the subject of an order made under subsection 487.‍016(1) or 487.‍017(1) if the conditions for obtaining an order exist but by reason of exigent circumstances it would be impracticable to obtain an order.

To top it off, the bill also includes a global production order for this information that can be applied to non-Canadian entities. The bill contains a similar production order for foreign entities:

487.‍0181 (1) On ex parte application made by a peace officer or public officer, a justice or judge may authorize a peace officer or public officer to make a request to a foreign entity that provides telecommunications services to the public to prepare and produce a document containing transmission data or subscriber information that is in the foreign entity’s possession or control when it receives the request.

(2) The justice or judge may authorize a peace officer or public officer to make the production request only if the justice or judge is satisfied by information on oath in Form 5.‍00801 that there are reasonable grounds to suspect that
(a) an offence has been or will be committed under this or any other Act of Parliament; and

(b) the transmission data or the subscriber information is in the foreign entity’s possession or control and will assist in the investigation of the offence.

There is much more to assess with each of these provisions. Indeed, the bill contains some provisions that allow for challenging orders and envisions a system to better obtain cooperation from foreign entities. Obtaining information from non-Canadian services that operate in Canada has been a significant law enforcement challenge. The question will be whether there are appropriate standards and safeguards in the new proposed rules.

“Authorized Access to Information”

Beyond subscriber information, there is another section focused on access to computer systems, particularly on networks run by “core providers”. These rules also have huge implications for network providers as they envision providing law enforcement with direct access to provider networks to test capabilities for data access and interception. The bill introduces a new term – “electronic service provider” – that is presumably designed to extend beyond telecom and Internet providers by scoping in Internet platforms (Google, Meta, etc.). Those international services are now key players in electronic communications (think Gmail or WhatsApp), though some may be beyond this form of regulation (eg. Signal if you don’t inadvertently add people to chat groups).

The definition of an ESP is:

a person that, individually or as part of a group, provides an electronic service, including for the purpose of enabling communications, and that
(a) provides the service to persons in Canada; or

(b) carries on all or part of its business activities in Canada.‍ 

An electronic service includes:

“a service, or a feature of a service, that involves the creation, recording, storage, processing, transmission, reception, emission or making available of information in electronic, digital or any other intangible form by an electronic, digital, magnetic, optical, biometric, acoustic or other technological means, or a combination of any such means.”

All electronic service providers are subject to obligations to “provide all reasonable assistance, in any prescribed time and manner, to permit the assessment or testing of any device, equipment or other thing that may enable an authorized person to access information.” Moreover, all are required to keep such requests secret.

But beyond the basic obligations, the government will identify “core providers” who will be subject to additional regulations. These may include:

(a) the development, implementation, assessment, testing and maintenance of operational and technical capabilities, including capabilities related to extracting and organizing information that is authorized to be accessed and to providing access to such information to authorized persons;

(b) the installation, use, operation, management, assessment, testing and maintenance of any device, equipment or other thing that may enable an authorized person to access information; and

(c) notices to be given to the Minister or other persons, including with respect to any capability referred to in paragraph (a) and any device, equipment or other thing referred to in paragraph (b).


There are a host of proposed rules for core providers, which effectively grant law enforcement direct access to service provider systems for the purposes of communications access and interception. This is a revival of old proposals in which law enforcement sought access to the systems of Canada’s major telecom and Internet providers. There were concerns that the costs of compliance would be too challenging for smaller players and the use of regulation may be a mechanism to exempt those providers. The trade-off is that the effectiveness of the system is open to doubt given that the “bad guys” can easily figure out which providers are subject to these rules.

I will be working to post more on all of these provisions in the coming days and weeks. In the meantime, the key takeaway is that Bill C-2 is far from just a border bill. The government and law enforcement are running back the warrantless access playbook by inserting extensive lawful access provisions in an unrelated bill. This approach should be roundly rejected. If there is a case for lawful access, it should be debated on its own merits, in its own bill, and with its own study.

4 Comments

  1. Pingback: Canadian Liberal Party Border Bill Also Includes Warrantless Access Provisions – Pixel Envy

  2. Pingback: Roundup: The confidence vote that wasn’t | Routine Proceedings

  3. Ink Pusher says:

    Canadians never learned that there is a massive difference between what is Lawful and what is Legal. Legal is the corporate subversion of what is Lawful , to benefit of unaccountable corporatized government agencies that operate above the Law , not for the protection of the Lawful Rights of The Citizens.

  4. Great read, thank you. Though I’d recommend a strong tl;dr for the casual reader.

Leave a Reply

Your email address will not be published.

*

*