The most recent version of the Canadian Government’s lawful access legislation is upon us. The legislation expands the powers available to the police, imposes equipment- and training-related costs on Telecommunications Service Providers (TSPs), enables TSPs to voluntarily provide consumer information to authorities without a warrant, forces TSPs to provide subscriber data without warrant, and imposes gag orders on TSPs who comply with lawful access powers. Economic and civil rights costs are, as of yet, murky. Despite being an extremely lengthy piece of legislation, Bill C-30 lacks the specificity that should accompany serious expansions to Canadian policing and intelligence gathering powers.
In this post, I first outline a ‘subscriber data regime’ to discuss what does – and may – be entailed in accessing Canadians’ subscriber data. Second, I explain how subscriber data can be used for open-sourced intelligence gathering. Third, I argue that an administrative process of expanding subscriber identifiers is inappropriate. Finally, I articulate why warrants are so important, and why court approval should precede access to subscriber data. In aggregate, this post explicates the concerns that many civil advocates, academics, and technical experts have with access to subscriber information, why Canadians should be mindful of these concerns, and why Canadians should rebuff current efforts to expand warrantless access to subscriber information.
Building a Subscriber Regime
The Government of Canada is attempting to create a subscriber data regime. Specifically, the Government is seeking powers that will let authorities collect certain identifiers (prescribed information) and, with those identifiers in hand, force TSPs to disclose names, addresses, phone numbers, and other personal information. Authorities can then link prescribed identifiers to personally identifiable information. This power can, and will, be used to expand the state’s surveillance capacity: such information will not simply provide ‘clarity’ to police about individuals but will enable authorities to more intensely understand the relationships between Canadians. Specifically, the legislation reads:
16. (1) On written request by a person designated under subsection (3) that includes prescribed identifying information, every telecommunications service provider must provide the person with identifying information in the service provider’s possession or control respecting the name, address, telephone number and electronic mail address of any subscriber to any of the service provider’s telecommunications services and the Internet protocol address and local service provider identifier that are associated with the subscriber’s service and equipment.
What this means is that after TSPs receive ‘prescribed identifying information’ they will be compelled to make available a series of data fields. TSPs will need to disclose name, address, telephone number, e-mail address, and the SPIN number along with IP address. At this stage, we do not know what ‘prescribed information’ encompasses; the definition for this term will be developed after legislation is passed. While this is not unusual for government legislation – it is, in fact, the norm for regulations to ‘spell out’ what legislation practically means – it is deeply concerning with regards to surveillance legislation. In essence, deferring what constitutes ‘prescribed identifying information’ to the regulation phase prevents citizens from knowing what identifiers the state wants to use to track and identify citizens. Presumably authorities would be able to approach a TSP with the subscriber information TSPs are themselves required to disclose (e.g. email, IP address, name, etc) in order to add to the amount of subscriber information held by authorities. In addition, however, authorities could approach TSPs with other technical numbers and identifiers that are embedded in the devices we use so long as they are defined as ’prescribed identifying information’. In this scenario, authorities would link identifiers not mentioned in the legislation to subscriber data: the data records associated with subscriber profiles developed by authorities thus can be expected to far exceed the six identifiers specifically noted in the legislation.
To make this more concrete, let’s turn to the IMSI numbers associated with each mobile phone. If authorities approach your mobile phone provider with the IMSI number associated with your device (presuming that an IMSI number was amongst the ‘prescribed identifying information’) the provider would be legally required to provide your subscriber information. If authorities came with a phone number and demanded subscriber information associated with the phone number the IMSI number would not be amongst the data your phone provider would be compelled to disclose. While this is a step in the right direction – IMSI numbers were included amongst the subscriber information that would have been disclosed under previous versions of the lawful access legislation – this step doesn’t preclude authorities from capturing your IMSI as a means of identifying you. IMSI catchers can capture these unique mobile identifiers. Such devices ”establish false mobile phone towers for the purpose of monitoring and tracking mobile phones without their users’ awareness” and are used by American law enforcement and intelligence agencies to monitor and track citizens. Given that phones have almost become fetishes for most of the Canadian public, insofar as they are persistently carried on one’s person and jealously protected from third-party intrusions,
the ability to ascertain who owns, and is using, a particular mobile device is far less ambiguous than who subscribes to, and uses, a landline phone. Using contemporary policing technologies such as IMSI catchers, authorities can de-anonymize a crowd by catching the IMSI associated with each phone and immediately requesting subscriber data from mobile phone providers. While it may not be legal for authorities to engage in ruses to compel individuals to identify themselves when those individuals have done nothing wrong, with IMSI catchers no ruse is needed for the identification process to occur. The term “papers please” is a distinctly analogue notion, one that can be abandoned by authorities in possession of IMSI catchers and lawful access powers (Source).
As the lawful access legislation has been presented to Canadians we cannot state that the door is closed to law enforcement using IMSI catchers to gather unique identifying information. In fact, it is highly likely that the removal of key mobile identifiers is meant to ensure that authorities have first collected these numbers before being able to compel subscriber information from TSPs. The removal of IMSI numbers, amongst others, then cannot be understood as a ‘privacy protective’ measure. Instead, there simply isn’t a great value in preemptively possessing the IMSI, IMEI, or other mobile-related identifiers.
The significance of not knowing what constitutes prescribed information cannot be overstated: it means that Canadians are ignorant of existing identifiers that authorities want to use to unmask individuals online, and in the physical world. Moreover, it means that experts and the public alike cannot predict how the state will expand the subscriber regime as novel technologies are developed and deployed. While certainly true that many Canadians may not appreciate the role of identifiers, and their linkage with individual behaviours, this shouldn’t stand as a reason for the government to hide what identifiers it wants to use to deanonymize individuals. Only when technical experts know which identifiers interest the government can they offer thoughts and warnings about how those identifiers can – and likely will – be used by law enforcement and Canadian intelligence.
IMSI catchers are an issue today but, as technology advances, new identifiers that enable novel tracking and surveillance capacities will emerge. This means that an unfolding regime of subscriber data may develop: this will constitute a system of ever-increasing unique identifiers that, on their own, are not necessarily revealing until aggregated with additional subscriber information and open-source intelligence. How this regime will expand is thus contingent on both what systems and codes are associated with ‘prescribed identifying information’ and how subscriber data and prescribed identifiers are used by authorities.
Using Subscriber Data
Government and police briefings concerning access to subscriber data have left the the Canadian public with more political spin than technical fact. I want to fill this absence by providing some of the facts that authorities have not provided to Canadians. Specifically, I touch on the mass automation of contemporary surveillance operations, the types of TSPs that may be compelled to provide information and the implications of such disclosures, and the usage of subscriber data (when combined with open source data) to create relational information graphs that identify links between Canadians, the power structures between dialogical and associative partners, and the significance of graphing this information.
Police chiefs have, along with the government, insisted that Bill C-30 does not include provisions for warrantless access to the content of communications. They are absolutely correct: this legislation will not let the authorities snoop through your email, SMS messages, or other electronic communications to read the content of the communication without a warrant.
What the government, and its officials, have been less open in saying is this: most contemporary policing and intelligence gathering does not begin with wiretaps or interception and analysis of the contents of communications. No, it is the patterns of communications, the individuals you communicate with, and the frequency of communications that are most important in the preliminary stages of professional intelligence gathering. In an era of social networking, public communication on news websites, and prominent use of Internet forums to talk about specific (and often sensitive/politically charged) topics there is less and less need for police to obtain warrants to develop preliminary profiles on Canadians.
So, what does it mean if the authorities gain access to some of your subscriber data? In what follows, I offer a handful of examples to underscore the potential ways that the subscriber elements the government is interested in might be used.
- Wikipedia/website activity: If you are not a registered member of Wikipedia, then the edits and content additions you contribute are publicly tagged to your IP address. This IP address is publicly searchable. The public attachment of the address is meant to identify you across the site and establish some level of accountability for even anonymous Wikipedians. While such accountability is useful to identify and stymie ‘bad editors’ it can also be used to monitor Canadian citizens’ activities on Wikipedia. Why is this significant? Imagine that your IP address has been turned over by a web forum that predominantly communicates about your local Occupy movement. With the IP in hand, the authorities (a) go to your ISP to identify you as an individual; (b) identify that on Wikipedia you have been editing articles on firebombs, chemical explosives, anarchism, black block tactics, and academic freedom. While this might suggest that you are ‘of interest’ to police – and thus worth monitoring, if not charging with a specific criminal offence – it might mask the truth that you are really a graduate student who is a subject matter expert on militant advocacy in Canada. You’ve been profiled based on actions online, with certain conclusions derived from your online behaviour that would not bear out were you subject to a specific investigation. While some of the confusion might ‘work itself out’ in a court process, should you simply be monitored this profile could develop and build over time. This inappropriate characterization could lead to serious life consequences as the hidden profile influences your relations with the state over months or years.
- P2P leaks: When individuals in Canada connect to a P2P sharing service they will typically reveal their IP address to other sharing partners. Some of this information has been aggregated online, enabling law enforcement to retroactively check whether your IP address is linked with the transfer of copyrighted materials. From this it is possible to link individuals to certain profiles based on their viewing habits; large companies specialize in segmenting markets to understand the psychographic profiles of audience members. (Alternately, authorities could monitor P2P services for particular files – perhaps a popular new movie – and, with the IP address in hand, deanonymize an individual to bring copyright infringement charges to bear.) Combined with other information obtained through open-source intelligence the authorities may derive insights into your personality – and add that to a police-owned profile – that historically would have been challenging (if not impossible) to assemble.
- Geolocation: While authorities lack GPS-level geographic information when they request IP address information, they can identify the general geographic region that a person is operating from. While there are technologies that will obfuscate this level of geographic surveillance, and while IP-based geolocational awareness has limitations, these weaknesses do not prevent authorities from provisionally integrating geographic information with IP-based subscriber data. While some TSPs may have your full contact information for billing purposes (e.g. your ISP will have a full home address to send you bills each month) others, such as Facebook, Google, or prominent Web forums, likely will not. Consequently, while these latter TSPs cannot precisely identify your location they can make available sufficient information to narrow the physical search parameters.
- Pairing of associations: Assuming that the authorities have an IP address, they may then turn to TSPs such as Twitter and Facebook to verify or flesh out other subscriber data they have collected. The issue, however, is as follows: If multiple people share the same IP address – perhaps because a variety of individuals in an apartment share a common wireless router – then authorities will not just learn about person X that they are interested in, but also about persons A, B, C, and D who have logged into the same social networking sites with different credentials but the same IP address. This can have the effect of drawing together a host of subscriber records that would not be available when ‘just’ going to an ISP, where there might only be a single account holder. Moreover, where person X is suspected of some crime – and thus has a negative intelligence or policing profile – being associated with that person could be detrimental to persons A, B, C, and D, who may have no significant relationship to person X. Nevertheless, A through D may now fall within the auspice of the investigation and have their own subscriber information collected as part of ‘routine’ intelligence gathering in the lead up to either a policing or national-security driven action.
- Institutional associations: Where you are using an IP address, or email account, that is associated with a particular institution then more is revealed than ‘just’ the identifier itself. Instead, what is revealed is a (semi-)unique identifier plus a link between that identifier, available subscriber information (perhaps including telephone number and address), and potentially a place of work or organization that the individual is associated with. Thus, the email account or IP block that an individual is associated with can carry a wider breadth of information than may be initially apparent from the legislation itself: while some people may have a hotmail account and browse the Internet from public libraries (which may obfuscate organizational ties somewhat), for people who register for Internet services using organizational email accounts (e.g. XXX@uvic.ca, or YYY@IBM.co.uk) or IP space assigned through their organization/employer, then authorities may learn substantially more than ‘basic’ subscriber information. Remember that the information in the phone book lacks awareness of where you work or what organizations you are associated with: the same cannot necessarily be said of the identifiers the government is after in Bill C-30.
- Confusing common sources: If your IP address, email, or other identifying information can be linked with pseudonyms that a person uses online then it becomes possible to monitor the Web for every instantiation of that pseudonym. Of course, there are problems where different people use common pseudonyms; a historical search could aggregate the different uses of the pseudonym into a common profile or record. This may contaminate the inferences that can be derived, both in terms of the content of the open-sourced communication (i.e. public forum posts) and in terms of evaluating who the pseudonym is associated with (i.e. Usage A of the pseudonym may be linked with soccer moms, whereas Usage B may be linked with Al-Qaeda sympathizers). Either machine-based or human-based oversight would then be required to ascertain whether the common pseudonym is used by different entities and, if so, to disassociate the information into separate profiles to avoid inappropriately confusing inferences.
As should be evident, the information that the government is interested in does not simply clarify small bits about you, but instead can be leveraged to extend and enhance ‘open source’ means of profiling individuals. Effectively, it will be used with other available information to reveal core elements of Canadians’ biographical lives.
While law enforcement has indicated that access to subscriber information would largely be used to resolve ‘serious’ cases, Professor Geist has documents indicating that this stated position is disingenuous. Specifically, law enforcement has been prevented from getting subscriber records where no crime was clearly committed as well as in cases where authorities wanted access to the information to return stolen property. In the former case, the government should not have gotten access to the subscriber information on the basis that there was no significant grounds under which authorities should have had access to the data. As for the latter example, I suggest that while returning stolen property is part of the duty of law enforcement, where the powers to carry out that duty excessively infringe on civil liberties then our liberties ‘trump’ making officers’ duties easier.
One thing that various police chiefs have stated in press briefings is that analyzing subscriber information is not simple or fast. They equate accessing and tracking IP addresses to accessing and monitoring license plates. Such equivocations are highly disingenuous because they are predicated on Canadians not understanding the nature of contemporary IP address and license plate surveillance technologies. In terms of license plates, police forces around Canada are trialling Automatic License Plate Recognition (ALPR) systems. ALPR systems can capture and map thousands of license plates per hour, far in excess of what a human officer could identify and track. The historical method of surveilling vehicles’ plates – where an officer themselves looks at a plate and, from there, evaluates whether the vehicle is of interest – is receding behind us and is being replaced with a system of widespread, ubiquitous surveillance.
Just as technical infrastructures are arising to monitor, map, and data mine license plate movements, similar technologies exist to massively search the Internet for items related to IP addresses, pseudonyms, email accounts, and names that are of interest to authorities. While particularly impoverished policing bodies may have to manually look up IP addresses, email accounts, and so forth, well resourced organizations will not be similarly handicapped. The technologies that will facilitate this automated massive surveillance are not distant or near-future technologies: the equipment, systems, and services are already available for purchase, and in use, by government agencies in the United States and further abroad.
Information collected about particular subscribers will not necessarily be held in isolation of other subscribers’ information; contemporary intelligence and policing investigations rely on the ability to map relationships, identify key hubs of communications networks, and ascertain power relationships between associated individuals and organizations (Danezis and Clayton 2008). Companies like Amesys and Siemens (amongst a host of others) already provide services and systems that automatically develop relationships between tracked individuals. With the addition of open-source intelligence from social networks and the web generally authorities can develop rich profiles on individuals and the groups they associate with. Such ‘social network analysis’ enables authorities to identify relationships and organizations before the individuals who are themselves communicating and associating with one another come to the realization they compose an organization (Strandburg 2008). This is a significant predictive capability. Moreover, the challenge in systematically picking terrorists and similar rare, though high profile, criminals out of the noise of the Internet is suggestive that social analysis tools will be used where they are more accurate: where there is a broader understanding of communications between individuals involved in more common, and less serious, criminal activities. In effect, pot growers should fear the automated surveillance capabilities that Bill C-30 may promote instead of potential terrorists.
Administrative versus Legislative Surveillance
While lawful access legislation is presently before parliamentarians, the key elements of the bill will be developed during a regulation process. As noted previously, this is normal for most legislation, insofar as corporations and individuals alike need to know how legislation is practically meant to be implemented. What remains unclear is just what constitutes ‘prescribed information’ or the rate at which new data fields may be added to the initial list. Canadian citizens need to know this information because, without it, we cannot ascertain what methods the police are likely using to surveil the Canadian public. While I don’t need to know that authorities are(n’t) using IMSI catchers in particular, I can derive that insight if part of the prescribed information includes IMSI numbers. Similarly, if some of the prescribed information includes Twitter account numbers, Facebook identifiers, BBM codes, or other identifiers then I can ascertain the means of government surveillance and which TSPs the government is likely going to for subscriber information.
A citizenry has to know what the government is surveilling in order to make a judgement about the appropriateness of the surveillance. Democratic bodies are dependent on free speech and freedom to associate with individuals in order to engage with controversial ideas that may, eventually, be adopted by the public at large. In an era where the Canadian Government identifies environmental, native, and other advocacy and dissident groups as ‘extremist’ – and where these groups’ projects advance environmental responsibility, compliance with human rights, and governmental transparency – we must know what the government’s agents are doing to track, trace, and monitor citizens who most need protection from their own government. While the aims of these groups and organizations may not always (or even often) resonate with many Canadians, they should not be prejudicially profiled and targeted by authorities simply for exercising basic rights of speech, association, and engaging in peaceful civil disobedience.
In contrast, legislative surveillance extensions would constitute public extensions of authorities’ powers; all citizens (and residents of Canada generally) can know about new surveillance powers on the basis of what is declared in a new law or amendment that is tabled in the parliament. Administrative surveillance that is dependent on a regulatory process is far less transparent, and far less likely to be known to the public or to the groups most concerned about unjust, discriminatory, surveillance practices and tactics. In the US we see authorities creep forward with new means of surveilling the public, often in contravention to public norms or interests. We should set aside administrative extensions of subscriber information and instead require that extensions be tabled and debated in parliament. Such public transparency would prevent either government or Canadian authorities from subtly or secretly extending the range of identifiers that would subsequently be used to access Canadians’ personal information that is held by TSPs.
Importance of Warrants
Many of the concerns surrounding subscriber data, and its uses, might be managed were access to subscriber data linked with strong judicial oversight. Unfortunately, the government insists that subscriber information is not particularly sensitive and, in light of claimed (though not substantiated) problems in accessing subscriber data, has decided that warrantless access is appropriate. This position is problematic for two reasons: first, it will lead to retroactive bias confirmation and, second, it removes a critical check for intelligence gathering operations.
To begin, warrants limit police power and discretion, and they also have the effect of limiting hindsight confirmation. Police and intelligence officers have considerable powers in excess of what ‘normal’ citizens enjoy: authorities can detain, injure, or otherwise harm Canadians in ways that are typically illegal. Warrants force law enforcement to believe that the application of their special powers merits the overhead associated with exercising them. In effect, warrants add a level of friction to the process of evidence and intelligence collection by forcing officers to consider the relative value of the search or intelligence gathering action in relation to the resources expended in filling out a warrant request.
Moreover, the warranting process means that police cannot exercise their powers based on hunches. When police request a warrant they are stating to a judge that there is a reasonable expectation of X and that, to prevent or respond to X, they require the power to access subscriber information. A judge looks at that request and balances whether it is valid given the evidence that the authorities have assembled to date. Prior to collecting some evidence to present to a judge, a hunch is typically insufficient to convince a justice that search or access powers are appropriate. The issue, however, is that when you know something in hindsight (i.e. Person A was selling narcotics) you are likely to state that this something was what provoked the search/access to subscriber data in the first place (Solove 2011). Warrants prevent such post-hoc justifications. They force authorities to collect evidence and to be held accountable before they use subscriber data to aggregate information and build profiles on Canadian citizens.
In cases where subscriber data is being accessed for intelligence, rather than investigative, purposes it is particularly important that oversight exists at the outset of the data collection. While police may be challenged over their collection of information if subscriber data is brought to court – perhaps on grounds that the reasons to collect the data were insufficient (though this is unlikely given the grounds under which authorities can collect subscriber information under this legislation) – intelligence bodies that may never take direct action on information gathered are unlikely to be similarly challenged. Intelligence organizations, then, may develop profiles and relationship maps that link Canadians without affected individuals ever knowing that these profiles and relational mappings are responsible for difficulties at borders or when applying for sensitive jobs.
Moreover, Canadians cannot be certain that the profiles which lead them to experience difficulties are fair or accurate representations. It’s entirely possible that a poor analysis, or inappropriate profiling, that has been linked to a initial terror or criminal investigation could lead to Canadians suffering significant hardships. At issue is the inability to question or know about the source of the problem; in essence, it’s the problem of creating a Kafkaesque surveillance environment. With judicial approval there is at least the potential for overzealous intelligence gathering to be narrowed and restrained at the outset of an investigation. This potential is largely extinguished if judicial oversight is not added into Bill C-30′s subscriber data provisions during the amendment-setting stage.
I hope that it has become apparent that warrantless access to subscriber information is a very significant, and serious, matter. It is true that the information on its own, from a single TSP, provides limited insight into any Canadian’s biographical core. However, when subscriber data is integrated with information from across the web and other data sources (e.g. driving records, CPIC, border databases, etc) it becomes clear how these basic identifiers can catalyze citizen profiles. It should be clear that the warrantless facets of the legislation are deeply concerning and indicate a basic failure on the part of the government to recognize the social value of warrants. Moreover, the potential to expand what constitutes identifiers under administrative rather than legislative grounds raises the prospect of surveillance creep over time.
Canadian police chiefs have insisted that Canadians should celebrate C-30 because the legislation will make police accountable for the reams of subscriber information they have been semi-secretly accessing for years. I say that this ‘audit by legislative hostage taking’ is inappropriate: if Canadian policing bodies have been collecting this data, then they should make it available to Canadians. Citizens have a right to understand how police have conducted surveillance in this country, and police have no right to insist that minimal levels of transparency into their practices are contingent on the public expanding the authorities’ powers. Were police serious about becoming transparent they would not only be pushing for strong third-party audits of their access to subscriber data, but would be howling for the government to include a disclosure clause. Such a clause could require the same third-party auditor to notify each Canadian whose subscriber information was accessed by authorities. This notification could occur either after the investigation had concluded or after 1 year if no investigation was pending. To date, no federal politician or law enforcement official has come out for such strong disclosure requirements.
Further, Canadian police and our elected officials have failed to provide a rationale for this legislation beyond a handful of scare stories. On the one hand we are told of the number of times police are accessing subscriber data, but on the other we are not given data that would let us audit or confirm police statements that 5% of requests for subscriber data are rebuffed by TSPs. Citizens in a democracy do not have to trust the police nor the government: it is for this reason that good democracies retain potent ATIP, FOI, and other disclosure mechanisms to prevent authorities and the government from acting against the interests of the population. While the authorities certainly have a difficult job and we may want to trust them, there is no reason why we should have to trust them. Even more critically, when a nation is debating significant expansions to policing capabilities the citizens absolutely need not trust the authorities. In such cases, the public deserves raw data so they can evaluate it and thus indicate to their representatives whether they support or oppose the extension of powers. Canadian police and the government are failing their constituents and stakeholders by refusing to make available this information.
Police and intelligence bodies have challenging jobs, jobs made harder with the advent of digital systems and the preponderance of communications platforms, networks, and protocols. Canadians should be proud that, despite these challenges, our police are stopping terrorists and catching the child pornographers who reside in our nation. If new resources are genuinely required then the authorities should be permitted to make their case, but they should be required to make it by providing clear empirical data, and by proposing legislation that works as a scalpel to address their problems, rather than demanding the equivalen fo legislative chainsaws and sledgehammers to address isolated and specific difficulties. Canadians are not opposed to the police conducting their business and keeping us safe but do require evidence-based policy proposals rather than proposals based on rhetoric and fear mongering. We have yet to see the government or authorities engage in a substantive discussion about why authorities genuinely need of many of the powers in C-30. Until our representatives come forward with evidence supporting these new powers, the Canadian public should oppose efforts to needlessly expand authorities’ powers, especially given that these powers threaten the core civil rights that undergird our democracy.
Text References + Bibliography:
G. Danezis and R. Clayton. (2008). “Introducing Traffic Analysis,” in A. Acquisti et al. (eds). Digital Privacy: Theory, Technologies, and Practices. New York: Auerback Publications. Pp. 95-116.
W. Diffie and S. Landau. (2007). Privacy on the Line: The Politics of Wiretapping and Encryption (Updated and Expanded Edition). Cambridge, Mass.: The MIT Press.
G. Elmer. (2004). Profiling Machines: Mapping the Personal Information Economy. Cambridge, Mass.: The MIT Press.
D. Solove. (2004). The Digital Person: Technology and Privacy in the Information Age. New York: New York University Press.
D. Solove. (2011). “The Suspicionless-Searches Argument,” in D. Solove. Nothing to Hide: The False Tradeoff between Privacy and Security. New Haven: Yale University Press. Pp. 123-133.
J. J. Strandburg. (2008). “Surveillance of Emergent Associations: Freedom of Association in a Network Society,” in A. Acquisti et al. (eds). Digital Privacy: Theory, Technologies, and Practices. New York: Auerback Publications. Pp. 435-457.