Lawful Access FAQ
Lawful Access: internet Surveillance
Introduction
Note that all references below to Bill C-74, the Modernization of Investigative Techiques Act, refer to the 38th Parliament which ended on Nov.29, 2005. Not having been passed, Bill C-74 died on the order paper.
New technologies have changed the landscape for criminals and law enforcement agencies alike. New information and communication technologies such as the Internet, email, cellphones, and encryption offer individuals new ways to communicate, organize, and engage in criminal behaviours, creating challenges for law enforcement agencies in their efforts to investigate and prosecute criminal activity. On the other hand, these same technologies provide authorities with access to potentially vast amounts of personal information on individuals; information that would not have been easily available several years ago. Canadian law establishes strict safeguards on the manner in which law enforcement agencies can use electronic surveillance powers. The scope of these safeguards, in the context of current technologies and threats to public security, is now a matter of heated debate, as Parliament considers proposals to expand the surveillance powers of Canadian law enforcement agencies.
This F.A.Q. was supported by the Social Sciences and Humanities Research Council.
F.A.Q.
Content |
What is "lawful access"?
What lawful access powers do Law Enforcement Agencies currently have in Canada?
Law Enforcement Agencies ("LEAs") currently have three main lawful access powers: search and seizure, production orders, and interception of private communications. With some exceptions, these powers require judicial authorization before they can be exercised. For more explanation of each power, see below.
Search and Seizure
In order to lawfully search individuals or property or to lawfully seize evidence, LEAs must, with some exceptions, first obtain a warrant from a judge. The test for obtaining a search warrant varies depending upon the kind of warrant in issue. The general warrant power requires reasonable and probable grounds to believe both that an offence has been committed (or in some cases will be committed) and that the search will furnish evidence or valuable investigative information (s.487). Narrower search powers authorize warrants to be issued on a lesser standard – reasonable grounds to suspect.
Exceptions to the requirement for a search warrant include situations where the conditions for obtaining a warrant exist but where it is unfeasible to obtain a warrant (s.487.11). In particular, the Criminal Code permits warrantless searches where there are reasonable grounds to believe that certain offences (e.g., impaired driving, possession of weapons, operating a common gaming house, counterfeiting money) are being committed and where it is impractical for the LEA to get a warrant. In addition, LEAs are allowed to seize evidence without a warrant in the execution of their duties, where they have reasonable grounds to believe that the evidence is relevant to commission of an offence.
Property seized can be detained for a specified period (normally no more than three months), but this period may be extended with judicial authorization. In some cases, such as when the proceeds of a crime have been seized, the evidence can be detained indefinitely.
Production Orders
While a search warrant allows LEAs to search and seize property, a production order compels a third party to produce evidence. The Criminal Code currently provides for a general production order for data or documents (s.487.012), a specific production order for telephone records (s.492.2(2)), and a specific production order for financial institutions (e.g., in money-laundering investigations) (s.487.013). All require judicial authorization, the first on a "reasonable grounds to believe" standard, and the other two on a "reasonable grounds to suspect" threshold.
Interception of Private Communications
Police are permitted to intercept or monitor private communications (often referred to as "wiretap") only under strict rules set out in the Criminal Code. "Private communications" are defined broadly as:
any oral communication, or any telecommunication, that is made by an originator who is in Canada or is intended by the originator to be received by a person who is in Canada and that is made under circumstances in which it is reasonable for the originator to expect that it will not be intercepted by any person other than the person intended by the originator to receive it, and includes any radio-based telephone communication that is treated electronically or otherwise for the purpose of preventing intelligible reception by any person other than the person intended by the originator to receive it; (s.183)
Interception of private communications covers telephone wiretaps and video surveillance. The extent to which it covers access to e-mail or other Internet-based communications is unclear, since such communications are usually accessed not in real time, but rather from a computer where they have been stored (in which case access to them could be considered a "search" rather than an "interception").
Where one party to the communication consents to the interception, the LEA seeking authorization to intercept must satisfy a judge that there are reasonable grounds to believe that an offence has been or will be committed, and that relevant information is likely to be collected via the interception. Where no party to the communication has consented, the LEA must demonstrate to the judge that other less intrusive investigatory means have been tried and failed or that the urgency of the matter makes other procedures impractical, and that the interception is in the best interests of justice. For certain specific offences such as terrorism, the judge issuing the authorization need only be satisfied that the authorization is in the best interests of the administration of justice.
Interception authorizations generally last for no more than 60 days. However, judges may authorize "emergency authorizations" without any particular "reasonable grounds" or other test; these have a 36 hour maximum.
Interceptions can be carried out without judicial authorization in the following situations:
-
where one party consents, and the LEA reasonably believe that bodily harm may occur to person consenting, and the interception is meant to prevent bodily harm (s.184.1);
-
where the LEA reasonably believes that the urgency of the situation is such that authorization is impossible and that interception is immediately necessary to prevent an unlawful act that would cause serious harm to person or property, and that a party to the communication is the perpetrator or victim (s.184.4); and
-
by the Canadian Security Establishment (CSE) for the purpose of obtaining foreign intelligence or for the protection of the government’s computer systems and networks, where authorized by the Minister of National Defence. CSE intercepts for the purpose of collecting foreign intelligence must be directed at foreign entities located outside Canada (s.273.65, Anti-Terrorism Act).
What safeguards currently exist to protect against police abuse of lawful access powers?
The primary safeguard against abuse of lawful access powers is the requirement for prior judicial authorization before a search or other surveillance activity takes place. Neutral, independent judges must determine that the search or surveillance is justified, under a test such as "reasonable grounds to believe that an offence has been or will be committed". There are, however, exceptions to the normal requirement for judicial authorization in emergency cases. The test for judicial authorization varies according to the type of offence or search, as well as the circumstances (see above, under "What Lawful Access powers do LEAs currently have in Canada?").
When police seize things under a warrant or otherwise in the course of their duties, they must get permission from a justice ("justice of the peace" or provincial court judge) to detain the things. The Criminal Code sets out time limits for the detention of things seized (initially 30 days, extendable to one year), but these limits can be extended with judicial authorization or where the thing seized is relevant to a proceeding underway (ss. 489.1, 490).
Interceptions entail additional safeguards, including a limited set of offences for which interception is allowed at all (s.183), a 60-day time limit on surveillance (with exceptions), a requirement for the police to notify the object of the intercept within 90 days of the end of authorization period (s.196), and a requirement for police to report to Parliament annually on interception applications and authorizations (s.195).
Oversight bodies have been created to deal with abuses of lawful access powers. The Commission for Public Complaints against the RCMP reviews complaints against RCMP members. The Security Intelligence Review Agency (SIRC) examines past operations of the Canadian Security Intelligence Service (CSIS), investigates complaints against CSIS, and reports annually to Parliament. Each province has its own process for dealing with complaints against police.
Section 8 of the Charter of Rights and Freedoms constitutes an important additional safeguard, as it renders illegal any "unreasonable" search and seizures (including interceptions). See below, under "Doesn’t the Charter protect me from overbroad lawful access powers?"
Do police have to report on their use of existing electronic surveillance powers?
Yes, section 195 of the Criminal Code mandates that the Solicitor General of Canada (now Public Safety and Emergency Preparedness Canada (PSEPC)) must file an Annual report on interception authorizations. That report must include information on such things as interception applications granted and refused, and the number of persons identified in interception authorizations who were subsequently charged. The 2004 "Annual Report on the Use of Electronic Surveillance".
There is no annual report requirement for searches and seizures. However, each search and seizure of property must be followed up with a report, given to the judge who granted the warrant, or to another judge if no warrant was granted. The report must describe each item seized and must report on whether it was returned to the rightful owner, or detained for the purposes of investigation or legal proceedings.
What new powers would law enforcement agencies get under the lawful access proposals?
In June 2009, the Government introduced Bill C-47, the Technical Assistance for Law Enforcement in the 21st Century Act (TALE), with the stated purpose of ensuring that “telecommunication service providers have the capability to enable national security and law enforcement agencies to exercise their authority to intercept communications and to require telecommunications service providers to provide subscriber and other information†to those same agencies (TALE, s. 3). Under the proposed legislation, TSPs are required to build into their technical infrastructure the capacity to provide intercepted communications to authorized persons (TALE, s.6(1)). The costs of doing so fall upon the TSPs (and by extension, the consumer), except where they may be ordered to retrofit older equipment, in which case a TSP may apply for compensation (TALE, s. 14(3)). Under s. 16(1) of TALE, TSPs must, upon written request, provide law enforcement agencies with information in their possession about a subscriber of their service regarding their name, address, telephone number, email address, IP address, mobile phone identification number (IEMI), electronic serial number, SIM card information, etc.
TALE applies to all telecommunications service providers – this would include internet service providers, mobile phone companies, etc. There is a three-grace period for TSPs with less than 100 000 subscribers. It does not apply to financial institutions, charities, primary and secondary educational institutions, hospitals, places of worship, retirement homes, broadcasters or to the broadcasting component of TSPs that provide both telecommunications services as well as broadcasting services. There are also exclusions for telecommunications services intended principally for the use of its provider and the provider’s household or employees, and not the public (TALE, Schedule 1, and s.5(1),(2)). There are partial exclusions from TALE for post-secondary educational institutions, libraries, community centres, restaurants, hotels, apartment buildings and condominiums – they are required only to provide to law enforcement agencies information about what kind of telecommunications services they provide, and the name of any TSPs they use in order to provide their services (TALE, Schedule 2, ss.5(3) and 24). Thus, for example, a coffee-shop providing WiFi access would not be required to build into their own network interception capabilities or record subscriber information of each customer.
The Government has also introduced a companion bill to TALE, Bill C-46, the Investigative Powers for the 21st Century Act (IP21C). IP21C in an omnibus bill that modifies the Criminal Code, the Competition Act, and the Mutual Legal Assistance in Criminal Matters Act. For the purposes of lawful access, IP21C does three key things – it creates preservation orders, production orders, and modernizes tracking warrants.
First, it would allow law enforcement agencies to apply for preservation orders requiring service providers to provide them computer data or records. Section 487.012 of the Criminal Code is amended to allow a law enforcement agency to require an individual to preserve computer data that is in their possession or control, if they have reasonable grounds to suspect that an offence has been or will be committed (a “preservation demandâ€). There is no requirement to follow such a demand, however, so to ensure preservation the LEA must apply for an order from a judge, who must also be convinced that there are reasonable grounds to suspect the individual has committed or will commit an offence (a “preservation orderâ€) (s.487.013). Neither a demand nor order can be made to the individual who is under investigation.
Second, there are specific “production orders†that an LEA may apply for in order to get at transmission data, which includes information that is transmitted to identify, activate, or configure a device in order to establish or maintain access to a telecommunications service for the purpose of establishing or maintaining communication, including the date, time, type, direction, method, size, and origin of the communication. It does not include the actual content of the communication. The Code is modified to allow an LEA to apply to a judge for a production order that would order a person to prepare and produce a document containing transmission data that is in their possession. In the case of transmission data that is sought in order to identify an individual or device, the judge must be satisfied that: 1) there are reasonable grounds to suspect an offence has been or will be committed, 2) the identification of a device or person involved in the transmission of a communication will assist in the investigation of an offence, and 3) production will allow the identification of other individuals who possess that information (s. 487.015). In the case where transmission data is sought for any other reason, the judge must be satisfied that: 1) there are reasonable grounds to suspect an offence has been or will be committed, and 2) the transmission data at issue will assistance in the investigation of that offence. Similar production orders can be made for tracking data (s.487.017) and financial data (s.487.018).
Third, the Code is amended to update the rules surrounding tracking warrants – warrants that allow law enforcement agencies to track transactions, the movement of things, or the movement of individuals. In order to lawfully use a device to enable law enforcement to track the transactions or the movement of objects, the new s.492.1(1) requires that law enforcement obtain a warrant from a judge who is satisfied that there are reasonable grounds to suspect that an offence has been committed or will be committed, and that tracking the location of one or more transactions or things will assist in the investigation of that offence. In the case of tracking individuals or objects customarily worn by individuals, the judge must be satisfied to the higher standard of reasonable grounds to believe. In either case, the warrant grants law enforcement the authority to install, activate, use, maintain, monitor, or remove a tracking device, including covertly.
What safeguards will apply to these new powers?
The law will not change regarding interception of private communications – law enforcement will still require a warrant on the reasonable grounds to believe standard before they can intercept the content of communications. The interception provisions in the TALE simply require TSPs to ensure the technical capacity for intercepts is in place.
In contrast, there is no prior judicial authorization required for law enforcement access to subscriber data under TEALE. However, there are some structures created in order to limit the potential for police abuse of these provisions:
-
The request may only be made by a designated law enforcement official in the course of his or her duties (s.16(2), (3))
-
The request must be in writing (s.16(1))
-
No more than 5% of the individuals in a given law enforcement agency can be designated as having the authority to make a subscriber information request (s.16(3))
-
While any law enforcement official can make a request under emergency circumstances, to do so they must provide identifying information to the TSP, report their request to a designated individual within 24 hours, and that designated individual must confirm to the TSP that the request was in fact legitimately made under emergency circumstances (s.17).
-
Any request must be followed by a written record of the request that identifies the law enforcement duty/function being pursued, the relevance of the information requested to that duty/function, and any other information that justifies the request (s.18(1))
-
Any subscriber information provided to law enforcement cannot be used (absent consent) except for the purposes for which it was obtained originally (s.19)
-
Regular internal audits shall be conducted (s.20(1))
-
The Privacy Commissioner may also conduct audits (s.20(4))
In the case of preservation demands, there is no mandatory compliance by the subject of the demand. This is of course not the case with preservation orders, which must be followed. A preservation order will only be granted with judicial authorization (on the reasonable grounds to suspect standard), and expires after 90 days.
In the case of production orders, general orders will be granted with judicial authorization on the reasonable grounds to believe standard. However, orders for the production of transmission data will be granted on the lower reasonable grounds to suspect standard (in addition the other requirements outlined above). In no case may the individual who is under suspicion be made the subject of a preservation or production order.
Why do the police want more surveillance powers?
The police argue that their current powers of investigation are insufficient to deal with the challenges posed by new information and communication technologies. They say that they are experiencing increasing difficulty conducting cybercrime investigations and prosecuting criminals for a number of reasons. They argue that new technologies enable criminals to commit crimes anywhere in the world from the safety and relative anonymity of remote locations. Current search and seizure powers do not permit the gathering of enough evidence to pursue criminals successfully. And telecommunications service providers’ control over their own communications systems frustrates police attempts to conduct electronic surveillance.
With respect to the the proposal to force TSPs to put in place more convenient means by which police can intercept communications, the government explains: "when a new technology is introduced, although law enforcement or CSIS have authority to lawfully intercept communications, technical barriers can make it difficult or impossible to effect court authorized interceptions. With the steady rollout of new technologies and the time it takes to put in place interception capabilities, criminals continue to use technology to hide their illicit activities from detection."
What is the federal government's rationale for increased surveillance powers?
The lawful access proposals have been justified on three main grounds:
-
The need of Law Enforcement Agencies for more effective tools to investigate criminal acts in the digital age (see above).
-
Canada’s desire to ratify the Council of Europe’s Convention on Cyber-Crime. While not a member of the Council of Europe, Canada was involved in drafting this treaty, has signed it, and wishes to ratify it. In order to ratify, Canada must implement certain measures such as Preservation Orders and Production Orders.
-
The need to update certain Criminal Code sections in order to reflect technological developments (e.g., change "telephone" to "telecommunications"; specify how email should be treated: as a communication that is intercepted or as a record that is searched?).
See the Justice Canada FAQ on Lawful Access for more explanation of the rationale for these proposed changes.
Does the Charter of Rights and Freedoms protect me from over-broad electronic surveillance?
Yes, section 8 of the Charter provides everyone with "the right to be secure against unreasonable search and seizure". Section 8 is qualified by s.1 (s. 1 jurisprudence summary) of the Charter, which states:
"The Canadian Charter of Rights and Freedoms guarantees the rights and freedoms set out in it subject only to such reasonable limits prescribed by law as can be demonstrably justified in a free and democratic society."
The Supreme Court of Canada has interpreted the section 8 right in a number of decisions. For example, it has determined that for a search to be reasonable it must be (a) authorized by law; (b) the law itself must be reasonable; and (c) the manner in which the search was carried out must be reasonable (R. v. S.A.B., 2003 SCC 60).
The Court has also said that section 8 only protects a "reasonable expectation of privacy". It has said that people have a reasonable expectation of privacy in their private communications, and that a "private communication" occurs where a person has reasonable grounds to believe that the words would only be heard by the person addressed: see R. v. Duarte [1990] 1 S.C.R. 30. Thus, surreptitious monitoring or interception of private communications violates the Charter unless done with proper authorization.
The Court has also said that everyone has a reasonable expectation of privacy in their "biographical core of personal information" – i.e., information which tends to reveal intimate details of the lifestyle and personal choices of the individual. But we don’t necessarily have a reasonable expectation to privacy in respect of information that doesn’t reveal deeply personal information about us, such as our electricity records or the amount of heat emanating from our houses: see R v. Tessling 2004 SCC 67; R. v. Plant, [1993] 3 S.C.R. 281.
For more on section 8 jurisprudence, see this summary.
The government has crafted its Lawful Access proposals carefully so as to withstand any Charter challenge. However, whether the 2005 Lawful Access proposals overstep Charter limits is debatable and will only be determined if and when they are challenged under the Charter.
Will these proposals mean that my online communications can be monitored at will by the police, without judicial authorization?
No. However, the requirement that telecommunications service providers have built-in intercept capability will make it easier for police to get access to online communications. Thus, the proposals would facilitate judicially-authorized monitoring of private communications.
Do the proposals require that ISPs retain all data about their subscribers for a certain period of time?
No. Unlike several European countries, the Canadian federal government has not proposed broad-based, mandatory "data retention" scheme. Instead, the government has proposed that Law Enforcement Agencies be able to obtain a "Preservation Order" requiring telecommunications service providers to preserve already existing data about a specific individual for up to 90 days. During this 90-day period, the LEA could apply to a court to force the service provider to produce the 'preserved' information. Data subject to a Preservation Order would not be accessible to the police unless and until they obtained a subsequent Production Order or search warrant.
Under what circumstances could the police search and seize information about me without judicial authorization?
The lawful access proposals would require service providers to hand over certain basic "subscriber data" (name, email address, telephone number, IP address, physical address) upon request, without a court order or warrant. See above under "What Lawful Access powers to LEAs currently have in Canada?" for information on warrantless searches currently permitted under Canadian law.
Will it be easier for the police to get search warrants under these proposals?
The proposals would not change the test for obtaining search warrants under Criminal Code. However, they would lower the standard for getting Production Orders for "tracking data" and "transmission data" from the current "reasonable grounds to believe" threshold to a "reasonable grounds to suspect" threshold. They would also introduce new ways for police to gather information necessary to make a case for a search warrant. In particular, the proposals would allow LEAs to gather information through warrantless access to 'subscriber data'.
Will it be easier for the police to intercept private communications under these proposals?
Yes. One of the main purposes of the lawful access proposals is to make it easier for police to intercept communications when they have judicial authorization to do so. This would be done by requiring that telecommunications service providers have the capability to intercept communications so that when the police need to monitor communications, they do not run into technical obstacles.
Who is going to pay for the new capabilities that TSPs must have under these proposals?
The issue of who will directly pay the costs of making information and communication networks wiretap-ready and responding to requests from law enforcement has been the focus of much concern in the telecommunications industry. TSPs are worried not only about the cost of technical upgrades required in order to provide intercept capability, but also about the cost of having staff ready to respond to requests from law enforcement on a 24 hour/day basis.
The federal government has proposed that telecommunications service providers would be responsible for costs associated with adopting 'wiretap-ready' building in intercept capability whenever they adopt a new technology or service, or make a significant upgrade to their systems, but that the government would cover the costs of necessary initial changes to their existing systems or networks.
Ultimately, we will all pay either as taxpayers or as subscribers to internet and telephone services.
How is a "Production Order" different from a "Search warrant"?
Production orders shift the burden of the actual search from the police to the organization served with the Production Order. Instead of the police conducting the search themselves a service provider is required to conduct the search of its own records and produce the requested documentation to the police.
Production Orders may disclose more or less information to the police than they would get via a search. On one hand, the service provider can provide only that which is requested and can protect the confidentiality of records not subject to the Order. On the other hand, the service provider may disclose more than the police have requested, either inadvertently or for reasons of business efficiency.
How does "Data Preservation" differ from "Data Retention"?
The term "data retention" has been used (particularly in Europe) to mean general retention by telecommunications service providers of data on all customers, not just those under suspicion of criminal behaviour.
In contrast, the Canadian government has used the term "data preservation" to refer to orders for the retention of data about a specific individual who is the subject of an investigation.
A Preservation Order would allow law enforcement to require telecom service providers to preserve communications sent to, or from, a party specific to the order. The Preservation Order would effectively require the telecom service provider to start surveillance and collect information on the party named in the order.
Critics have suggested that although these approaches are significantly different in theory, they may not be in practice. In other words, data preservation could become data retention in practice, if generalized data retention is the least expensive way for telecommunications service providers to comply with individual-specific data Preservation Orders.
Is the lawful access initiative related to anti-terrorism measures?
While the lawful access proposals were initiated before 9/11, and have their roots in international efforts to address cybercrime investigation and prosecution, there can be little doubt that the anti-terrorism efforts have contributed to the pressure for increased police powers to conduct cyber-investigations.
What measures are other countries taking to combat cybercrime?
In 2001, the Council of Europe drafted the Convention on Cyber-crime to address some of the legal issues raised by new technologies, including hacking, child pornography, copyright offences and difficulties investigating and prosecuting cybercrime across borders. The Convention calls on signatory states to adopt Production Orders and Preservation Orders, among other lawful access measures.
To date, thirty-one nations, including Canada, have signed the Convention. However, only eleven have put the treaty into force, none of them major, industrialized nations. It is not clear if the United States, one of only four non-European countries to sign the treaty, will even ratify it, since aspects of the Convention may contravene the U.S. Constitution.
The European Union recently proposed harmonized data retention rules requiring telecommunication service providers to collect and store telephone traffic data for up to one year and Internet traffic data for up to six months. The data could be accessed by law enforcement agencies from other member states on request. Currently, the majority of the European Union's 25 member states have no mandatory data retention legislation, while half of those who do have such policies have not put in place all the laws needed to enforce the rules. Those that do have data retention schemes differ in their required retention scope and period.
The US Federal Communications Commission issued an order in late September 2005 requiring all broadband ISPs to ensure that their systems are intercept capable (i.e., allow police to eavesdrop on their customers' communications) by spring 2007. This order would expand the scope of the existing US wiretap law, the Communications Assistance for Law Enforcement Act (CALEA), which currently applies only to "telecommunications carriers". Some industry players and civil society groups have appealed the order, arguing among other things that it would erode civil liberties and stifle innovation by imposing onerous technological demands on developers.
For more information on US wiretap laws, see CDT's CALEA webpage and EPIC's wiretap webpage. For more information on recent developments in the US, see CNET's news stories.
The U.S. Congress enacted the USA PATRIOT Act shortly after the tragedy of September 11, 2001, to expand the intelligence gathering and surveillance powers of law enforcement and national security agencies. The law allows U.S. authorities to obtain records and other "tangible things" to protect against international terrorism. Further, it expands the power of U.S. intelligence agencies to seek information from individuals living inside the United States, something they were previously restricted from doing. This latter amendment opens a back door for enforcement of ordinary criminal and regulatory laws.1
The USA PATRIOT Act also expands the circumstances under which the FBI can secretly compel financial institutions, phone companies and Internet service providers to disclose information about their customers. There is no independent oversight of these disclosures. Until recently, third party recipients of such letters were permanently barred from revealing that they had been served.
1 The Department of Homeland Security has added a number of new categories to its internal record-keeping system for tracking actions that, in its view, are in some way related to terrorism, including one for "anti-terrorism" which according to the Department's data manual covers immigration, identity theft, drug and other such cases brought by prosecutors that were "intended to prevent or disrupt potential or actual terrorist threats where the offence conduct is not obviously a federal crime of terrorism."
Has the Canadian government consulted with the public on the lawful access proposals?
Yes. In August 2002, the Canadian government (Justice Canada, Solicitor General, and Industry Canada) issued a Lawful Access Consultation Paper soliciting stakeholder comment on a number of proposals to enhance electronic surveillance powers. The government received over 300 submissions in response to these proposals – from the law enforcement community, telecom service providers, civil society groups, privacy commissioners, and the public. A summary of those submissions is available here. Many groups and individuals were highly critical of the proposals, arguing that no real justification had been provided for increased government surveillance powers, and that the proposals would unnecessarily and inappropriately curb important civil liberties that are fundamental to a free and democratic society. Archive of the copies of the submissions.
Over the next two years, the government refined its proposals, taking into account the input it had received. In early 2005, it consulted privately with selected stakeholders (including civil society groups and telecom service providers). CIPPIC was one of the organizations consulted. We provided express concern about undue invasion of civil liberties, lack of justification, and inadequate safeguards for protecting personal privacy. See belowfor a summary of concerns raised by CIPPIC and other civil liberties groups.
What concerns have been raised about the lawful access initiative?
Individuals, civil liberties groups, and privacy advocates have expressed a number of concerns about the proposals. The following are some of the most common concerns expressed:
-
New technologies provide LEAs with unprecedented surveillance capabilities and opportunities. They are far more of a threat to individual privacy than they are a frustration to law enforcement. Individuals and societies need protection from unjustified surreptitious uses of these technologies by LEAs and others as much as they do protection from criminal uses of these same technologies.
-
Warrantless access to subscriber data is a serious invasion of individual privacy, given the highly personal information to which LEAs have access once they can associate a person with an IP address or other indicator. The internet is a vibrant forum for expression of political dissent and unpopular views, as well as for the sharing of highly personal information, in large part because of the anonymity that it offers to people. If police are allowed to strip individuals of their online anonymity without judicial authorization and under cover of secrecy, it is almost assured that such powers will be abused, and valuable free speech will be chilled.
-
Access to subscriber data is further problematic in that the account subscriber is not necessarily the person using the account. Thus, innocent people could be targeted.
-
Use of a "reasonable grounds to suspect" threshold for preservation and production orders, rather than a "reasonable grounds to believe" threshold, means that these orders will be easier to get. The move toward searches based on suspicion rather than belief opens the door to abuses and will no doubt lead to greater police surveillance of innocent people. Suspicion is too low a standard to justify police surveillance of any sort.
-
Production orders amount to conscripting the private sector as agents of the state, a trend that raises serious civil liberties concerns. Private companies should not be forced to engage in investigative activities on behalf of the state.
-
Email is akin to oral communications from the user perspective, but unlike oral communications, it leaves a data trail ripe for monitoring by LEAs and others. The current law is unclear as to whether and when LEA access to email communications constitutes "interception of private communications" versus a "search" of computer records. E-mail should be treated as private communications and thereby subject to the same protections from interception as are oral communications, at least until downloaded by the recipient.
-
Requiring that telecommunications service providers increase their surveillance capabilities (so that police can take advantage of them) will create new opportunities for abuse both by LEAs and service providers. Major ISPs, who provide service to the majority of Canadians, would eventually be capable of intercepting data, isolating specific subscribers, and removing any encryption or other changes that they make to data transmissions.
-
The proposed new powers lack adequate safeguards against abuse. In addition to judicial authorization on a "reasonable and probable grounds to believe" standard, limits on the use, retention and disclosure of personal data gathered are needed to protect individual privacy. Persons subject to covert searches, as well as surveillance, should be notified after the fact unless there is justification not to notify. LEAs should be required to keep records and report on all lawful access activities. And there should be penalties for abuse of these powers.
-
The proposals lack sufficient general oversight. Current oversight mechanisms (e.g, SIRC, RCMP Compliants Commission) are inadequate to detect, deter, and deal with LEA abuse of the new powers being proposed. Additional reporting and oversight mechanisms are required.
-
Canadians will end up paying for these measures, either in the fees they pay for telecommunications services or as taxpayers.
-
There is no clear or compelling justification for the increased surveillance powers and capabilities proposed by the government. Before exposing Canadians to this increased level of state surveillance, as well as to the ultimate cost of these measures, a better case needs to be made that the measures will improve law enforcement in Canada.
See the links below for more analysis and concerns raised by Privacy Commissioners and civil society groups.
What proposals have been made by privacy advocates and others in response to the lawful access proposals?
A number of proposals for additional safeguards have been made, including the following:
Access to Subscriber Data
-
Require prior judicial authorization for access to subscriber data, as for other search and seizures of information;
-
Require that the LEA have reasonable grounds to suspect criminal activity, as well as a link between the actual subscriber and the criminal activity (even if no prior judicial authorization);
-
Require record keeping by both TSPs and LEAs for all accesses to and requests for subscriber data, including the purpose for access, and whether the access led to a charge or conviction;
-
Require reporting of any disclosure of subscriber data, along with the justification for the disclosure, whether or not there is a judicial authorization requirement;
-
Require that all access to subscriber data requests be made in writing;
-
Impose a duty upon law enforcement to inform targeted subscribers/subjects of orders at the earliest appropriate time of the access request; and
-
Create a specific oversight body to scrutinize the proposed use of the warrantless access to subscriber data;
Production Orders and Preservation Orders
-
Make the threshold test for Production Orders and Preservation Orders "reasonable grounds to believe" rather than "reasonable grounds to suspect";
-
Limit the application of Production Orders and Preservation Orders to serous offences, such as those carrying sentences of five years or more;
-
Require judicial authorization, or at least "reasonable grounds" subject to review after the fact, for Interim Preservation Orders;
-
Limit warrantless Interim Preservation Orders to circumstances where there is a clear risk that data necessary for an investigation will be destroyed or erased while a judicially authorized order is being sought;
-
Reuire that both LEAs and service providers keep detailed records of all Preservation Orders and Production Orders;
Treatment of Email
-
Treat email as a "private communication", at least until the point where it is opened by the intended recipient;
General Privacy Protection Safeguards
-
Apply strict time limits on the retention of data gathered via electronic surveillance and other Lawful Access powers;
-
Apply strict limits on the use and disclosure of data gather via electronic surveillance and other Lawful Access powers;
General Accountability and Oversight
-
Create an independent oversight body to supervise lawful access activities of Law Enforcement Agencies and ensure public accountability, transparency, and scrutiny, and to enhance public confidence;
-
Require the regular and meaningful reporting of all lawful access measures undertaken by Law Enforcement Agencies;
-
Introduce a criminal offence for opportunistic use, or misuse of information accessed through Lawful Access powers.
See the links below for more proposals from Privacy Commissioners and civil society groups.
Which government agencies are sponsoring the lawful access proposals?
Three departments have sponsored the lawful access proposals:
-
Public Safety and Emergency Preparedness Canada (PSEPC). PSEPC includes both CSIS and the RCMP. (TSP Interception Capability; Access to Subscriber Data)
-
Justice Canada (Criminal Code amendments) Lawful Access Page
-
Industry Canada (Competition Act amendments)
Resources & Links
Canadian Government Links & Relevant Canadian/International Statute Links
-
Ontario Privacy Commissioner's submission on "Lawful Access" (April 21, 2005)
-
PSEPC Report on Electronic Surveillance Annual Report on the use of Electronic Surveillance for 2004
-
European Union Convention on Cyber-Crime text of the Convention
-
Bill C-74 (Modernization of Investigative Techniques Act)
-
Bill C-47 (Technical Assistance for Law Enforcement in the 21st Century Act)
-
Bill C-46 (Investigative Powers for the 21st Century (IP21C) Act)
-
Backgrounder: Public Safety Canada, Technical Assistance for Law Enforcement in the 21st Century Act
-
Media Release: Public Safety Canada, Government Of Canada Introduces Legislation To Fight Crime In The 21st Century
-
Backgrounder: Department of Justice, Investigative Powers for the 21st Century (IP21C) Act
Academic & CIPPIC Links
-
Philippa Lawson's slides presented at the Cdn InfoSec Summit in June 2005 (intro to lawful access)
-
Philippa Lawson's slides presented to the ICLMG in May, 2005
-
Professor Michael Geist’s Lawful Access Comments With comments and links to many privacy law pages
Lawful Access, CyberCrime & Privacy Law Interest Group Links
-
US Department of Justice (USDOJ) CyberCrime page
-
Declan McCullagh’s PoliTech page with comments on Canadian Lawful Access
-
Electronic Frontier Canada (EFC) and Electronic Frontier Foundation (EFF) Comments on Justice Canada’s Lawful Access proposal
-
ARMA International Lawful Access Page
Charter Links
-
Unreasonable Search and Seizure – Section 8 jurisprudence Summary
-
Section 1 Jurisprudence – summary of tests for laws that are "demonstrably justified in a free and democratic society"
This page last updated: June 2, 2007