At issue is the agency’s indefinite retention of metadata known as “associated data.” In his redacted ruling, Justice Noël wrote, “Over the course of these proceedings, it became clear, through submissions and witnesses, that the definition of associated data for the Court consists of data collected through the operation of warrants from which the content was assessed as unrelated to threats and of no use to an investigation, prosecution, national defence, or international affairs.” While the content was not retained, CSIS apparently believed it could retain the metadata and did so.
Justice Noël also ruled that “CSIS has breached, again, the duty of candor it owes to the Court.” His decision includes a protracted discussion of the degree to which this breach was intentional. While there are uncertainties, it is very clear that, as a designated judge charged with the responsibility of balancing CSIS’s need for information with privacy rights of innocent Canadians, Justice Noël was not provided with all relevant information. That, in itself, is a clear demonstration that change is required.
CSIS is not alone in the metadata controversy. As I pointed out in August 2015, the Conservative Government at the time asserted the absurd position that metadata collection by government agencies was legal, despite the fact that collecting the content of the same communications would violate criminal and constitutional law. The fact that governments continue to argue a cloudy and fictional separation between communications content and metadata does a disservice to all Canadians, including the hard-working men and women of our law enforcement and intelligence agencies. When law enforcement and intelligence agencies have a legitimate need to collect and retain data of any type, it should be clearly articulated in legislation or court orders.
The timing of Justice Noël’s ruling could not be better. The Government of Canada recently launched a consultation on national security to “help inform future changes to national security tools, including those introduced in the Anti-terrorism Act, 2015 (former Bill C-51), to ensure that Canada’s national security framework is effective in keeping Canadians safe, while also safeguarding our values in a free and democratic society.”
A key area in this broad consultation, “Investigative Capabilities in a Digital World,” covers basic subscriber information, interception capability, encryption, and data retention. “In the face of evolving threats,” it reads, “investigators worry about four main problems: slow and inconsistent access to basic subscriber information to help identify who was using a particular communications service at a particular time; the lack of a general requirement that domestic telecommunications networks maintain the technical ability to intercept messages; the use of advanced encryption techniques that can render messages unreadable; and unreliable and inconsistent retention of communications data.”
While Canadians certainly desire effective law enforcement and national security agencies, the government’s Green Paper focuses primarily on the needs of law enforcement, and some of the questions in the paper raise the spectre of increased surveillance powers.
Consider this Green Paper question: “Should Canada’s laws help to ensure that consistent interception capabilities are available through domestic communications service provider networks when a court order authorizing interception is granted by the courts?” Telecommunication companies have traditionally been required, through various mechanisms such as conditions of licence, to include intercept capabilities in their systems. But with the changing nature of telecommunications, including VoIP and various IP-based forms of communication, what does this entail today? Are law enforcement agencies asking for ISPs and cloud providers to include mandatory intercept capabilities in their networks and applications? And if so, who is going to pay for it?
The Green Paper also poses ridiculous questions, presumably written by someone who neither understands the technology nor observed the great sinking of the Clipper Chip in the mid-90s: “How can law enforcement and national security agencies reduce the effectiveness of encryption for individuals and organizations involved in crime or threats to the security of Canada, yet not limit the beneficial uses of encryption by those not involved in illegal activities?” The answer is simple: They can’t.
Rather than hunt for non-existent magic bullets, Canadian law enforcement and intelligence agencies need to accept their new reality and focus on developing relevant investigative techniques. New mechanisms sought by police to force individuals to hand over passwords and encryption keys would not help in the fight against organized crime and terror. They would, however, open the door to disproportionate invasions of privacy.
Hopefully Canadians will take full advantage of the ongoing Government of Canada consultation and not only respond to the detailed questions, but more generally express their desire for clear rules, better accountability, meaningful oversight, and an end to metadata games.
Have a security question you’d like answered in a future column? Email email@example.com
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…