Restoring Accountability for Telecommunications Surveillance in Canada

By August 11, 2015 No Comments

Canadian federal, provincial, and municipal authorities routinely request access to data that are either stored or processed by telecommunications service providers. A slew of laws authorize such requests including recently passed legislation expanding security intelligence activities[1] and establishing new data preservation and production powers. Furthermore these laws have authorized government agencies’ use of malware, and legalized the voluntary sharing of telecommunications data between corporations and government.[2] Surveillance-enabling laws are well-used by authorities, to the point that hundreds of thousands of requests for telecommunications data are made each year and affect hundreds of thousands of Canadians.[3] And as discussed in this article, few government requests for access to telecommunications data are disclosed to the Canadian public. In essence, governments of Canada conduct a massive volume of telecommunications surveillance with limited public accountability.

This article will first examine corporations’ involvement in government surveillance activities: how much surveillance are companies compelled to conduct and how effective are companies’ efforts to explain their government-compelled surveillance practices. Next, the paper will discuss how Canada’s surveillance oversight, review, and reporting infrastructures have fallen into disrepair and the significance of these infrastructures’ failures. The paper concludes by discussing how improving statutory electronic surveillance reports, empowering oversight and accountability bodies, and establishing a parliamentary oversight committee for national security could restore trust in contemporary surveillance activities while identifying — and defraying — bad actions.

Corporate Disclosures of Telecommunications Information

Canadian telecommunications service providers (TSPs) are routinely compelled to provide telecommunications data to government authorities. In 2010, the Royal Canadian Mounted Police (RCMP) made at least 28,143 requests for subscriber data; such information includes subscribers’ names, addresses, and possibly information about the devices they use, electronic identifiers, and billing information. Of these requests, 93.6% were fulfilled without authorities first acquiring a court order.[4] In 2011 the Office of the Privacy Commissioner of Canada learned government authorities had made at least 1,193,630 requests for subscriber data over the year, and that the requests affected at least 784,756 subscribers.[5] In 2013, six of Canada’s telecommunications providers asserted that they had received a combined 140,457 requests for subscriber data between them and a grand total of 372,825 requests by government authorities for telecommunications information. This latter total reflects all of authorities’ requests for telecommunications data, thus including subscriber data requests as well as those based on subpoenas and warrants, on emergency grounds, and other legal grounds. These latter kinds of requests can include any kind of electronically communicated data, from wiretaps to text messages to emails or Internet logs.[6]

At present, few Canadians will ever learn that their telecommunications information has been disclosed to government authorities. Only when individuals have their communications intercepted, recorded using a hidden camera, or other real-time acoustic recording, are they notified of the government’s surveillance regardless of whether charges are brought against the monitored person.[7] More specifically, government authorities do not have to notify Canadians when authorities have collected persons’ subscriber data, stored email, or other modes of telecommunications surveillance. The only way for Canadians to learn they are affected by these latter modes of surveillance is if the collected information is used against them in a legal proceeding. Consequently, most Canadians remain oblivious when their TSP discloses their personal information or monitors their telecommunications on behalf of government authorities.

No Canadian TSP has publicly committed to notifying their subscribers of government surveillance or taken public policy positions that Canadians ought to know when their TSP has been compelled to share subscribers’ information with authorities.[8] Although Canadian TSPs have begun releasing transparency reports to disclose the number of times government authorities compel data from the companies, the reports do not explain data retention periods or disclosure practices. The former is needed for Canadians to understand just how much data a given government order might elicit from a company, and the latter for Canadians to understand what authorities must do to force companies to disclose information. These additional categories are needed to contextualize existing transparency reports if those reports are to be useful public policy documents.

At present the only parties who are guaranteed to know about the surveillance — the government authorities and TSPs — tend not to, or are disinclined to, inform the victims of such surveillance when charges are not brought against the targets of the government’s attentions. In light of these limitations, Canadians are forced to rely on accountability processes as well as oversight and review bodies to ensure that inappropriate surveillance does not take place.

Accountability Deficits

Canada has a federal oversight system that was largely developed for the 1970s and 1980s, which has fallen into disrepair as successive federal governments have prioritized the expansion of surveillance powers at the expense of equivalent oversight and accountability for the use of these powers. Specifically, annual electronic surveillance reports and federal review, oversight, and accountability offices do not effectively monitor or report on the extent of government surveillance powers. Consequently, the public and parliamentarians are hindered in holding the government accountable for its use of telecommunications surveillance powers.

The federal and provincial governments of Canada are obligated under s.195 of the Criminal Code to produce annual reports that detail the regularity with which they intercept Canadians’ communications. The actual number of federal intercepts has declined since the 1970s, though the average number of persons affected by each interception warrant has risen.[9] Moreover, while the federal government of Canada publishes its annual report on the Public Safety Canada website, few of its provincial counterparts make their reports publicly accessible. This has the effect of masking the extent of interception-related surveillance; whereas federal government agencies conducted 845 telecommunications interceptions in 2011,[10] Canadian telecommunications service providers received at least 6,000 interception orders in the same year.[11]

The annual electronic surveillance reports do not account for the range of contemporary telecommunications surveillance practices undertaken by government agencies. They do not, for example, account for government requests for subscriber records, for access to content stored on computer servers, for access to metadata pertaining to telecommunications activities, or uses of computer malware to collect or extract information from computer devices. These non-interception modes of surveillance account for the majority of government telecommunications surveillance; whereas the Canadian Border Services Agency made 18,849 requests for telecommunications information in 2012 and 2013, none of those requests involved intercepting communications.[12] The RCMP made at least 28,143 requests for subscriber information in 2010,[13] whereas there were a total of 535 requests for telecommunications interceptions across the entire federal government for the same year.[14]

Canadians might expect federal review, oversight, or complaints officers to ensure government authorities do not inappropriately access telecommunications information. These officers and their associated offices, however, cannot provide high-levels of assurance that authorities only appropriately access telecommunications information. In the case of the Security Intelligence Review Committee (SIRC), which conducts annual reviews of some of the Canadian Security Intelligence Service’s (CSIS) activities, its review functions have been challenged by not having a full complement of committee members to oversee the SIRC.[15] Only recently has the government appointed two new members to fill the committee. Both of them possess strong national security backgrounds. However, the SIRC was never meant to include such persons on its committee[16] and so even in fully staffing the committee, its composure of not including members of the intelligence committee has been compromised.[17] Moreover, CSIS delays providing information to the SIRC and thus inhibits the SIRC’s abilities to conduct reviews.[18] And the SIRC cannot identify how CSIS-gathered information is used after it is shared outside of CSIS,[19] preventing the review body from assuring parliamentarians that CSIS-related telecommunications surveillance is conducted in accordance with CSIS’, and associated agencies’ mandates or legal authorities.

The Office of the Privacy Commissioner of Canada (OPC) is limited in its ability to investigate government telecommunications surveillance. Critically, the Privacy Act limits the OPC to only examining the collection and use of Canadians’ personal information; the OPC “does not have jurisdiction to examine in general the lawfulness of the activities of national security agencies.”[20] Moreover, even when the OPC discovers that a federal agency is conducting, or has conducted, an inappropriate mode of telecommunications surveillance it cannot stop the activity using its powers under the Privacy Act, nor can it compel federal agencies to modify their practices under the OPC’s present legal powers. The result is that while government agencies may implement the OPC’s recommendations there are no hard legal consequences for failing to act on those recommendations.

Oversight deficits carry over to the Office of the Communications Security Establishment Commissions (OCSEC), which oversees Canada’s foreign signals intelligence agency, the Communications Security Establishment (CSE). The OCSEC tables an annual report that accounts for some of the CSE’s activities in the prior year. While the OCSEC has always asserted that CSE has behaved lawfully, the Commissioner warned in 2004 that the assessment “should not be taken to mean that I am certifying that all CSE’s activities in 2003-2004 were lawful. I cannot make this assertion, because I did not review all their activities—and no independent review could.”[21] Moreover, this assertion of lawfulness is based on the federal government’s classified and privileged interpretation of CSE’s own national security mandates; the OCSEC has warned that, given this basis of lawfulness, they have applied an “interim” solution of relying on the Department of Justice’s interpretations of CSE’s mandate since CSE’s formal independence in 2001.[22] The result is that CSE’s lawful telecommunications surveillance that has occurred since 2001 is predicated on a stopgap interpretation, one which has never been publicized. Moreover, the OCSEC, like the SIRC and OPC, cannot work with other governmental review, oversight, or accountability bodies. The consequence is that the OCSEC cannot track information that CSE collects and then distributes to other agencies. As a result, the OCSEC does not fully understand how CSE-collected telecommunications information pertaining to Canadians is used by other domestic and foreign government agencies.

Making matters worse is the absence of dedicated review or oversight bodies for most government agencies that receive or compel access to telecommunications information. The CBSA, as an example, possesses neither an inspector general nor an independent review organization, despite the regularity that CBSA conducts telecommunications surveillance. The same is true of the majority of government agencies that will be authorized to receive and share information, including telecommunications-derived data from private firms and between government agencies as a result of provisions in Bill C-13: Protecting Canadians from Online Crime Act and Bill C-51: Anti-terrorism Act, 2015.

Restoring Accountability to Government Surveillance

Bringing government practices to account requires reforming the annual electronic surveillance reports, empowering review and oversight bodies to ‘follow the data’ beyond the borders of their own agencies, and expanding parliamentary oversight. Without such reforms Canadians and their political representatives, as well as independent officers to parliament meant to oversee and review government surveillance activities, cannot effectively detect or reform inappropriate, overzealous, or otherwise concerning government surveillance activities.

Annual electronic surveillance reports provide useful information about government telecommunications surveillance, but fail to account for the majority of contemporary surveillance practices. Given the shift in government agencies’ investigation techniques towards those favouring access to stored records and to non-content aspects of communications, these annual reports should be expanded to account for today’s government surveillance practices. Legislative amendments could explicitly require government agencies to account for their access to subscriber and customer name and address records, use of malware and tracking warrants, along with other (lesser known) modes of contemporary surveillance. Moreover, such reports should be published online by all Canadian governments. Such reforms would let Canadians and parliamentarians understand the full extent of government authorities’ contemporary surveillance powers, how regularly those powers are used, and the effectiveness of those powers in generating criminal prosecutions.

Government agencies increasingly work with one another in the course of investigations and these collaborations will increase and deepen in light of information sharing provisions included in Bill C-51: Anti-Terrorism Act, 2015. While such collaborations amplify information sharing, the organizations responsible for ensuring that government agencies do not inappropriately collect or exchange telecommunications-related data have not kept pace. Canada’s oversight, review, and privacy bodies are not legislatively permitted to collaborate or coordinate with one another. Consequently, they cannot ensure that information is collected and shared responsibly. Moreover, when these bodies do find inappropriate behaviours their abilities to legally force changes to organizational practices are limited: the OPC cannot enforce its decisions, SIRC cannot compel changes in CSIS, and the OCSEC is largely barred from identifying unlawfulness because of how its mandate and terms of reference have been secretly established. These limitations must be rectified for these bodies to assure Canadians that telecommunications surveillance is lawful and appropriate given the crimes being investigated.

In addition to improved annual reporting, and coordination and enforcement capabilities provided to independent review and oversight bodies, parliament must establish a committee to oversee security and intelligence activities. A committee that was focused on overseeing and reporting on the adequacy, efficiency, and efficacy of policing, security, and intelligence agencies’ budgetary practices would let parliamentarians hold the government to account for its spending of government monies. The committee should also, paralleling similar committees in the United States and United Kingdom, be notified of significant changes to national security policies or novel practices so that member of parliament could genuinely represent their constituents’ interests and be able to task review and oversight bodies to provide special reports as needed. Such a committee would ensure that government telecommunications surveillance activities provide good value for the tax dollars invested and that the agencies conducting the surveillance are behaving appropriately.

Were the aforementioned recommendations adopted then Canadians could at least know that their parliamentarians possessed the information and capabilities needed to hold government to account for its telecommunications surveillance. Elected representatives would be able to ask about the appropriateness of contemporary surveillance, whether new powers are genuinely required in light of the extent and regularity of contemporary surveillance, and better understand how proposed powers might fit amongst those currently enjoyed by government authorities. Without adopting these sorts of reforms, or ones like them, then Canadians will effectively continue to live in a country where extensive amounts of entirely secret telecommunications surveillance is conducted without the knowledge or meaningful approval of Canadians or their representatives. Successive federal governments have expanded government authorities’ surveillance capabilities: it is well-past time for equivalent accountability capabilities to also be expanded.