Category Archives: Freedom

Developing a global privacy regime in the age of mass surveillance: four key principles - Open Democracy 20160208

Developing a global privacy regime in the age of mass surveillance: four key principles - Open Democracy 20160208

Europe leads in the field of the protection of privacy, with legislators, particularly courts, addressing head-on the fundamental human rights challenges posed by executive action authorising mass surveillance.

Towers, European Court of Justice at Luxembourg.

The proliferation of mass surveillance practices in recent years has posed a number of tough challenges for the protection of human rights in democratic societies, most notably for the right to privacy.

These challenges have been exacerbated by the considerable diversity in the legal and constitutional protection of privacy across the globe, with states engaging in far-reaching surveillance activity (such as the United States as demonstrated by the Snowden revelations) providing a fragmented and limited constitutional framework for the protection of privacy, especially regarding non-citizens.

At the same time, privacy protection framed strictly from a national/territorial perspective is increasingly inadequate to address the globalisation of surveillance, as evidenced by the proliferation of extraterritorial surveillance practices by states. In view of these challenges and gaps in human rights protection, I want to argue here that the development of a global privacy regime should now be an urgent priority for the global community.

There are four key principles to underpin such a global privacy regime. These principles are inspired by the current state of the protection of privacy in the European Union, and in the Council of Europe as developed by the Court of Justice of the European Union and by the European Court of Human Rights.

Europe is currently the leading actor in the field of the protection of privacy, with legislators — and in particular courts — addressing head-on the fundamental human rights challenges posed by executive action authorising mass surveillance.

Four key principles

- Firstly, the right to privacy should apply to everyone, to all individuals irrespective of their nationality.

The extension of privacy protection to everyone will serve to place meaningful limits to foreign surveillance and address the challenge of addressing global and extraterritorial systems of surveillance with territorial laws.

- Secondly, the right to privacy should cover not only the processing of personal data, but should target and limit the very collection of such data and its storage and transfer.

This is particularly important as regards the collection of every day personal data stemming from legitimate transactions such as booking a flight, arranging a bank transfer or making a phone call. A broad conceptualisation and articulation of the right to privacy, which would encompass but not be limited to the right to data protection, is key in this context.

- Thirdly, a global privacy regime must ensure effective remedies and meaningful avenues for redress for individuals claiming to be affected by surveillance activities.

The Court of Justice of the European Union in Schrems and the European Court of Human Rights in Zakharov have both espoused approaches whichenable standing and grant a remedy to individuals who cannot necessarily demonstrate that they have been affected individually by surveillance but who raise the prospect of a risk of a breach of their privacy rights due to surveillance. This approach can form the basis of a minimum standard approach on standing at the global level.

- Fourthly, the establishment of national independent privacy supervisors should be rolled out across the globe.

The European Union model is worthy of emulating here.The European Union model is worthy of emulating here as independent supervision provides with a rigorous avenue of scrutiny of compliance by the executive and the legislature with key privacy provisions, as well as strengthens the right to an effective remedy by providing an avenue for affected individuals to bring privacy complaints before independent supervisory authorities with independent investigative and decision-making powers.

Formal and informal avenues of cross-border and international cooperation between independent authorities can also be explored in order to address challenges of cross-border, extraterritorial and increasingly globalised surveillance. These four principles, which will be developed further below, will form the framework for the development of more detailed rules at global level, but adherence to them has the potential to establish a global privacy regime ensuring both a high level of privacy protection and a high level of legal certainty in an increasingly global level-playing field.

Principle 1: Everyone must enjoy the right to privacy

Compared with countries such as the United States, European Union law and ECHR law provide a higher level of protection ratione personae, ie in answering the question of who has privacy rights.

The two key human rights instruments which form the backbone of EU constitutional law in the field — the European Convention on Human Rights and the European Union Charter of Fundamental Rights — extend the right to privacy (and, in the case of the Charter, the right to data protection), toeveryone, without limiting protection to citizens of the European Union Member States (Article 8 ECHR; Articles 7 and 8 of the Charter of Fundamental Rights.)

This approach to privacy is important as it creates equality and a level-playing field in the protection of privacy between citizens and aliens, and helps to address gaps in protection arising in particular from extraterritorial surveillance practices that states may employ.

Principle 2: The right to privacy must be broadly defined

The second area where European Union law provides a higher level of privacy protection than countries such as the United States involves the substanceand content of the right to privacy.

The ruling of the Court of Justice in Digital Rights Ireland demonstrates clearly that mass, generalised surveillance is unlawful under European Union law. The ruling of the Court of Justice in Digital Rights Ireland demonstrates clearly that mass, generalised surveillance is unlawful under European Union law.In reaching this conclusion, the Court has adopted the three-step test of assessing human rights compliance adopted by the European Court of Human Rights in Strasbourg: the Court assessed in turn interference of mass surveillance with the right to privacy; its necessity in a democratic society; and its proportionality to the aim pursued.

Mass surveillance does not pass the proportionality test. Proportionality in this context provides a stronger privacy safeguard than the Fourth Amendment ‘reasonableness’ test. The establishment of privacy-specific constitutional rights (Article 8 ECHR and Articles 7 and 8 of the Charter) further contributes to the achievement of a high level of substantive privacy protection in European Union law.

As evidenced by the ruling of the Court of Justice in Schrems, the clear limits that European Union law places on mass surveillance and the resulting high level of privacy protection in the European Union are required to apply extraterritorially when personal data is transferred from the European Union to third countries.

The right to privacy here serves to limit not only the processing of personal data (which is a key outcome of data protection law) but also, at an earlier stage, the very collection of such data for surveillance purposes.

Moreover, in a long series of case-law on data retention, national constitutional courts in Europe and the Court of Justice have linked the protection of privacy against mass surveillance to upholding the rule of law and maintaining the relationship of trust between the citizen and the state. This democratic dimension of the right to privacy must be taken into account and serve as a limit to mass surveillance practices.

Principle 3: Everyone must have a right to an effective remedy for privacy violations

The third area where European Union and ECHR law provides a high level of protection involves the provision of remedies and avenues for judicial redress to individuals whose privacy rights have been affected. In the case ofSchrems, European Union law has made it possible for individuals who claim to be potentially affected by mass surveillance (in the case of Schrems by being a Facebook subscriber concerned about the potential access to his personal data by US security services) to be provided with a remedy before national courts and before the Court of Justice of the European Union.

An extensive approach to standing has also been endorsed by the European Court of Human Rights. In its recent ruling in Zakharov, the Court stressed the need to ensure that the secrecy of surveillance measures does not result in the measures being effectively unchallengeable and outside the supervision of the national judicial authorities and of the Court.


‘the Court accepts that an applicant can claim to be the victim of a violation occasioned by the mere existence of secret surveillance measures, or legislation permitting secret surveillance measures, if the following conditions are satisfied. Firstly, the Court will take into account the scope of the legislation permitting secret surveillance measures by examining whether the applicant can possibly be affected by it, either because he or she belongs to a group of persons targeted by the contested legislation or because the legislation directly affects all users of communication services by instituting a system where any person can have his or her communications intercepted. Secondly, the Court will take into account the availability of remedies at the national level and will adjust the degree of scrutiny depending on the effectiveness of such remedies…. where the domestic system does not afford an effective remedy to the person who suspects that he or she was subjected to secret surveillance, widespread suspicion and concern among the general public that secret surveillance powers are being abused cannot be said to be unjustified. In such circumstances the menace of surveillance can be claimed in itself to restrict free communication through the postal and telecommunication services,thereby constituting for all users or potential users a direct interference with the right guaranteed by Article 8. There is therefore a greater need for scrutiny by the Court and an exception to the rule, which denies individuals the right to challenge a law in abstracto, is justified. In such cases the individual does not need to demonstrate the existence of any risk that secret surveillance measures were applied to him. By contrast, if the national system provides for effective remedies, a widespread suspicion of abuse is more difficult to justify. In such cases, the individual may claim to be a victim of a violation occasioned by the mere existence of secret measures or of legislation permitting secret measures only if he is able to show that, due to his personal situation, he is potentially at risk of being subjected to such measures.’(paragraph 171. Emphasis added).

In Zakharov, the European Court of Human Rights has provided a meaningful route towards upholding the right to an effective remedy with regard to privacy violations resulting from state surveillance. It has allowed standing where applicants can evoke the mere existence of secret surveillance measures, with individuals not needing to demonstrate the existence of any risk that surveillance measures were applied to them if national systems do not provide an effective remedy for individuals to challenge such surveillance.

The approach of the European Court of Human Rights is in stark contrast to the ruling of the United States Supreme Court in the case of Clapper (Clapper, Director of National Intelligence, et al. v. Amnesty International USA et al., 568 U.S. (2013)), where the Supreme Court rejected the respondents’ standing plea based on the claim that they have suffered injury, which is traceable to Section 702 of the Foreign Intelligence Surveillance Act of 1978 (FISA, 50 U.S.C. para.1881a) because there is an objectively reasonable likelihood that their communications with their foreign contacts will be intercepted under para.1881a at some point, ruling that the respondents’ claims are highly speculative.

Principle 4: The requirement of independent supervision

The enjoyment of the right to an effective remedy is closely linked to the fourth area where European Union law provides a high level of constitutional protection of privacy compared to US law, namely the area of independent privacy supervision.

Independent supervision with regard to data protection law is firmly enshrined in EU constitutional law after Lisbon in both the Treaty on the Functioning of the European Union (TFEU) and in the European Union Charter of Fundamental Rights (Articles 16 TFEU and 8(2) of the Charter respectively).(See Hielke Hijmans.)

It is a European Union constitutional requirement which features prominently in transatlantic negotiations on the establishment of a level-playing field of protection, with the United States being seen as not providing an equivalent level of independent supervision.

Independent supervision has a dual role. It is essential to ensure rigorous and independent scrutiny of the compliance of Member States with EU constitutional and secondary legislation on data protection. However, it is also an avenue — via the powers of independent authorities to investigate individual complaints concerning breaches of data protection law — for the provision of an effective remedy for individuals whose privacy rights have been adversely affected.

This dual role of independent supervisory authorities in ensuring a meaningful and high level of protection has been confirmed in the ruling of the Court of Justice of the European Union in Schrems. There, the Court emphasised the powers of independent authorities to review the substance of individual complaints, even in the existence of a general decision presuming that the level of data protection in a third country (in that case in the United States) is ‘adequate’, with the Court linking such review with upholding the rule of law in the European Union (paragraphs 38-66, in particular paragraphs 58-60).The existence of an independent authority at the national level… has thus in this case proven essential in giving a voice to these individuals and providing remedies at both national and European Union level.

At the same time, the very existence of an independent authority at the national level has effectively provided the complainant with standing and an effective remedy at the national and at the Union level: Mr Schrems complained about the potential misuse of his Facebook personal data in the United States to the Irish independent supervisory authority, the Data Protection Commissioner. Upon rejection of his claim by the Commissioner, he brought an action challenging the Commissioner’s decision before the Irish High Court, which then decided to send the question in the form of a preliminary reference to the Court of Justice of the European Union — giving thus rise to the seminal ruling in Schrems.

The existence of an independent authority at the national level, where individuals can lodge complaints regarding potential breaches of their rights, has thus in this case proven essential in giving a voice to these individuals and providing remedies at both national and European Union level. The action of an individual citizen inSchrems, lodging a general claim before an independent authority (a claim which, under the reasoning of the US Supreme Court in Clapper would most likely be considered ‘speculative’), has resulted in a ruling by the Court of Justice of the European Union which has established a very high benchmark for the protection of privacy at European Union and transatlantic level.

EPIC Seeks Release of "Privacy Shield," Secret Data Transfer Agreement - EPIC 20160204

EPIC Seeks Release of "Privacy Shield," Secret Data Transfer Agreement - EPIC 20160204

EPIC has filed emergency Freedom of Information requests with the US and the EU for release of a secret agreement for the transfer of personal data across the Atlantic. A new framework was required by a recent decision of the European Court of Justice. But European and American consumer organizations say the "Privacy Shield" does not provide adequate protection for the transfer of personal data. EPIC stated, “The public has a right to know whether this agreement provides adequate legal protection.” EPIC previously obtained the secret EU-US Umbrella Agreement in FOIA litigation.

Chelsea Manning: In her own words - Amnesty International UK 20160207

Chelsea Manning: In her own words - Amnesty International UK 20160207

Chelsea Manning

'I feel like I’ve been stored away all this time without a voice'
- Chelsea Manning

She’s arguably the world’s most famous whistleblower. And despite the fact that she’s detained in a high-security military prison, Chelsea Elizabeth Manning is still finding ways to speak out.

Listen to Chelsea’s story, in her own words

This is Chelsea’s story, voiced by Michelle Hendley

Chelsea wrote to us and told us about her life in prison now, as well as the back story – how she came to be who she is and do what she did.

You can listen in full to Chelsea’s story above, voiced in our podcast by the actress Michelle Hendley, who lent Chelsea her voice for this episode of In Their Own Words.

Listen on soundcloud

'I was excited to do the podcast because it is a creative way for me to be able to express myself in my own words and in my own way, even though I am prevented by the rules of the prison to be photographed, video recorded, or audio recorded. Amnesty's podcast helps me from being erased from the public eye (or ear).'
- Chelsea Manning

Still speaking out

It’s now two and a half years since Chelsea Manning was sentenced to 35 years in military prison for leaking US military information to the WikiLeaks website in 2009 and 2010. She is currently detained in Fort Leavenworth military prison in Kansas.

Despite the very real restrictions on her freedom in prison, Chelsea has become a renowned free speech activist, making the most of opportunities to communicate from prison where possible to continue speaking out. Last year she tabled a challenge to US surveillance laws from her cell.

And she continues to speak out for transgender rights. She’s redefined how transgender people like her are treated in the US military; one year ago she won the right to become the first military prisoner to transition in prison.

The backstory: punished for whistleblowing on abuses

In 2009, 22-year-old Chelsea was serving as a military analyst in the US army in the US-led coalition war in Iraq. She was working with top-secret information. But some of the images and transcripts she was handling appeared to reveal human rights abuses – abuses committed by US forces and their allies. Abuses that the public would never know about.

In the interests of opening up public debate on the war, and in an attempt to show the world what she’d seen – what she later called ‘the true cost of war’ – Chelsea leaked around 750,000 confidential files to the website WikiLeaks. It was the biggest military information leak the US had ever seen. And it cost Chelsea her freedom.

US military authorities claimed that Chelsea had endangered public security by blowing the whistle: she was detained in solitary confinement and in 2013 appeared before a military tribunal, where she was convicted of numerous charges of theft and espionage (including six under the 1917 Espionage Act, often contested by free speech campaigners) – but cleared of the count of ‘aiding the enemy’ put to her (a charge that could have seen her sentenced to death).

In July 2013, a court dealt her one of the harshest sentences in recent US history for passing information to the media: 35 years in prison.

'I will serve my time knowing that sometimes you have to pay a heavy price to live in a free society'
Chelsea in a letter to President Barack Obama in 2013

Chelsea should be freed

At Amnesty, we’re calling on US authorities to free Chelsea immediately.

She is spending decades in prison because she shared information that she thought could shed a light on potential abuses and prompt meaningful public debate on the conflict. Prevented from using this in her defence at her tribunal and overcharged as a warning to others, Chelsea has been punished over the odds for actions.

Meanwhile, the US government has not investigated the abuses she exposed – while Chelsea has paid a high price for putting that information in the public realm.

Federal privacy watchdog wants info on agency tracking peaceful protests - Toronto Star 20160206

Federal privacy watchdog wants info on agency tracking peaceful protests - Toronto Star 20160206

Government Operations Centre comes under privacy office scrutiny over monitoring of peaceful protests, academic panels.

Privacy commissioner Daniel Therrien’s office refused to release the letter detailing the concerns with Government Operations Centre operations, telling the Star to go through the access to information process.
Privacy commissioner Daniel Therrien’s office refused to release the letter detailing the concerns with Government Operations Centre operations, telling the Star to go through the access to information process.

Canada’s privacy watchdog wants more information on a central government agency keeping tabs on peaceful protests.

Documents obtained by the Star show privacy commissioner Daniel Therrien’s office has asked the Government Operations Centre (GOC) to review its tracking of lawful protest and dissent.

“In (the letter), we asked that a more detailed analysis of the privacy risks relating to monitoring of public protests and demonstrations be undertaken and given to us to review,” Tobi Cohen, a spokesperson for Therrien, wrote in a statement.

“We are actively consulting with Public Safety on this file to make sure that we, and the Canadian public, have a full understanding of how personal information is being collected and shared under this program.”

The GOC provides 24/7 “situational awareness” for the federal government, and is supposed to help co-ordinate Ottawa’s response to natural disasters or threats to infrastructure.

But in late 2014, it was revealed the GOC has collected information on more than 800 peaceful protests, demonstrations and academic panels since 2006.

Therrien’s office refused to release the letter detailing the concerns with GOC operations, telling the Star to go through the access to information process.

The GOC does not conduct surveillance on protests, but serves as an intelligence clearing house for the federal government. That information can be as innocuous as Facebook event posts, to as detailed as RCMP and CSIS reports on incidents. The agency said no personal information is collected or shared.

According to its privacy impact assessment, the agency takes an “all-hazard” approach, including “civic disturbances.”

Documents tabled in Parliament in 2014 showed the GOC had information on events like a rally for veterans on Parliament Hill, a public panel discussion in Toronto on the oilsands, and a number of vigils and marches for missing and murdered indigenous women.

In June 2014, the Ottawa Citizen reported that the GOC asked government departments for help in compiling a “comprehensive listing of all known demonstrations” across the country.

The revelations drew the ire of the Liberals while in opposition.

“The government has frozen out and refused to meet with indigenous peoples and environmental groups, yet devotes disproportionate resources to spying on them,” Scott Brison, now a senior cabinet minister, said in September 2014.

“It would be much better to engage these groups meaningfully than to skulk around their meetings to hear what they’re thinking.”

But the GOC’s operations do not appear to have changed in the early days of the new Liberal government. The Star repeatedly reached out last week to the office of Public Safety and Emergency Preparedness Minister Ralph Goodale, but he was unavailable to comment.

“We remain committed to protecting the safety and security of Canadians while also protecting their rights and freedoms,” Public Safety spokesperson Jean Paul Duval wrote in an email.

“We have worked with the Office of the Privacy Commissioner to seek their advice and to ensure that GOC activities are in accordance with the personal information-handling practices of the federal government outlined in (Canadian privacy law).”

Duval noted the GOC completed its first “privacy impact assessment” — a routine government check on the risk to Canadians’ privacy for various programs — in May 2013.

“Subsequently, in August 2013 and October 2014, the privacy commissioner provided the GOC with various recommendations,” Duval wrote. “More specifically, some of the recommendations were around managing the potential for accidental or unintentional receipt of personal or private information outside of the GOC’s mandate, and to ensure correct disposal of that information.”

Examples of protests and demonstrations tracked by the Government Operations Centre:

  • A January 2006 protest on the war in Afghanistan and Bay Street’s “involvement” in Toronto, reported on by the Department of Justice.
  • A January 2007 demonstration by Amnesty International in Vancouver, tracked through media reports.
  • A May 2007 announcement by the Assembly of First Nations on a co-ordinator for a national day of action, tracked by Indigenous Affairs. Subsequent AFN demonstrations were tracked by various agencies, including the Integrated Terrorism Assessment Centre.
  • A series of Pro-Tamil rallies in Toronto, Ottawa and Montreal in April 2009.
  • A June 2010 rally for the University of Winnipeg Aboriginal Student Association, monitored by Indigenous Affairs.
  • As Occupy camps were set up across the United States and Canada in late 2011, the Government Operations Centre collected media reports on various locations.
  • Public service union rallies in Ottawa during February 2012 were monitored by “PS” — which could stand for the general “public service,” or Public Safety Canada.
  • A rally involving Ben Powless, a “Mohawk environmental activist,” in Toronto in August 2013, monitored by the RCMP.
  • The May 2014 edition of the annual anti-abortion “March for Life” on Parliament Hill, monitored by the Privy Council Office Crisis Management Centre.

Orwell, George - Britain and the USA haven’t been really tried, they haven’t known defeat or severe suffering - 1944

Most of the twentieth century’s notable men of letters — i.e., writers of books, of essays, of reportage — seem also to have, literally, written a great deal of letters. Sometimes their correspondence reflects and shapes their “real” written work; sometimes it appears collected in book form itself. Both hold true in the case of George Orwell, a volume of whose letters, edited by Peter Davison, came out last year. In it we find this missive, also published in full at The Daily Beast, sent in 1944 to one Noel Willmett, who had asked “whether totalitarianism, leader-worship etc. are really on the up-grade” given “that they are not apparently growing in [England] and the USA”:

I must say I believe, or fear, that taking the world as a whole these things are on the increase. Hitler, no doubt, will soon disappear, but only at the expense of strengthening (a) Stalin, (b) the Anglo-American millionaires and (c) all sorts of petty fuhrers of the type of de Gaulle. All the national movements everywhere, even those that originate in resistance to German domination, seem to take non-democratic forms, to group themselves round some superhuman fuhrer (Hitler, Stalin, Salazar, Franco, Gandhi, De Valera are all varying examples) and to adopt the theory that the end justifies the means. Everywhere the world movement seems to be in the direction of centralised economies which can be made to ‘work’ in an economic sense but which are not democratically organised and which tend to establish a caste system. With this go the horrors of emotional nationalism and a tendency to disbelieve in the existence of objective truth because all the facts have to fit in with the words and prophecies of some infallible fuhrer. Already history has in a sense ceased to exist, ie. there is no such thing as a history of our own times which could be universally accepted, and the exact sciences are endangered as soon as military necessity ceases to keep people up to the mark. Hitler can say that the Jews started the war, and if he survives that will become official history. He can’t say that two and two are five, because for the purposes of, say, ballistics they have to make four. But if the sort of world that I am afraid of arrives, a world of two or three great superstates which are unable to conquer one another, two and two could become five if the fuhrer wished it. That, so far as I can see, is the direction in which we are actually moving, though, of course, the process is reversible.

As to the comparative immunity of Britain and the USA. Whatever the pacifists etc. may say, we have not gone totalitarian yet and this is a very hopeful symptom. I believe very deeply, as I explained in my book The Lion and the Unicorn, in the English people and in their capacity to centralise their economy without destroying freedom in doing so. But one must remember that Britain and the USA haven’t been really tried, they haven’t known defeat or severe suffering, and there are some bad symptoms to balance the good ones. To begin with there is the general indifference to the decay of democracy. Do you realise, for instance, that no one in England under 26 now has a vote and that so far as one can see the great mass of people of that age don’t give a damn for this? Secondly there is the fact that the intellectuals are more totalitarian in outlook than the common people. On the whole the English intelligentsia have opposed Hitler, but only at the price of accepting Stalin. Most of them are perfectly ready for dictatorial methods, secret police, systematic falsification of history etc. so long as they feel that it is on ‘our’ side. Indeed the statement that we haven’t a Fascist movement in England largely means that the young, at this moment, look for their fuhrer elsewhere. One can’t be sure that that won’t change, nor can one be sure that the common people won’t think ten years hence as the intellectuals do now. I hope they won’t, I even trust they won’t, but if so it will be at the cost of a struggle. If one simply proclaims that all is for the best and doesn’t point to the sinister symptoms, one is merely helping to bring totalitarianism nearer.

You also ask, if I think the world tendency is towards Fascism, why do I support the war. It is a choice of evils—I fancy nearly every war is that. I know enough of British imperialism not to like it, but I would support it against Nazism or Japanese imperialism, as the lesser evil. Similarly I would support the USSR against Germany because I think the USSR cannot altogether escape its past and retains enough of the original ideas of the Revolution to make it a more hopeful phenomenon than Nazi Germany. I think, and have thought ever since the war began, in 1936 or thereabouts, that our cause is the better, but we have to keep on making it the better, which involves constant criticism.

Yours sincerely,
Geo. Orwell

Three years later, Orwell would write 1984. Two years after that, it would see publication and go on to generations of attention as perhaps the most eloquent fictional statement against a world reduced to superstates, saturated with “emotional nationalism,” acquiescent to “dictatorial methods, secret police,” and the systematic falsification of history,” and shot through by the willingness to “disbelieve in the existence of objective truth because all the facts have to fit in with the words and prophecies of some infallible fuhrer.” Now that you feel like reading the novel again, or even for the first time, do browse our collection of 1984-related resources, which includes the eBook, the audio book, reviews, and even radio drama and comic book adaptations of Orwell’s work.

Related Content:

George Orwell’s 1984: Free eBook, Audio Book & Study Resources

The Only Known Footage of George Orwell (Circa 1921)

George Orwell and Douglas Adams Explain How to Make a Proper Cup of Tea

For 95 Minutes, the BBC Brings George Orwell to Life

George Orwell’s Five Greatest Essays (as Selected by Pulitzer-Prize Winning Columnist Michael Hiltzik)

Lyon, David - The Snowden Stakes: Challenges for understanding surveillance today - 2015

Lyon, David - The Snowden Stakes: Challenges for understanding surveillance today - 2015


The drip-feed disclosures about state surveillance following Edward Snowden’s dramatic departure from his NSA contractor, Booz Allen, carrying over one million revealing files, angered some and prompted some serious heart-searching in others. One of the challenges is to those who engage in Surveillance Studies. Three kinds of issues present themselves: One, research disregard: responses to the revelations show a surprising lack of understanding of the complex, large-scale, multi-faceted panoply of surveillance that has been constructed over the past 40 years or so that includes but is far from exhausted by state surveillance itself. Two, research deficits: we find that a number of crucial areas require much more research. These include the role of physical conduits including fibre-optic cables within circuits or power, of global networks of security and intelligence professionals, and of the minutiae of everyday social media practices. Three, research direction: the kinds of surveillance that have developed over several decades are heavily dependent on the digital—and, increasingly, on so-called Big Data—but also extend beyond it. However, if there is a key issue raised by the Snowden revelations, it is the future of the internet. Information and its central conduits have become an unprecedented arena of political struggle, centred on surveillance and privacy. And those concepts themselves require rethinking.


Nineteen-Eighty-Four is an important book but we should not bind ourselves to the limits of the author’s imagination. Time has shown that the world is much more unpredictable and dangerous than that.”
- Edward Snowden, July 2014.


The disclosures about mass surveillance, provided by Edward Snowden, offer extensive insights into the inner workings of National Security Agency (NSA). One of the first things that featured in news accounts was that so-called mass surveillance is carried out on ‘US persons’ as well as foreigners and that those ‘foreigners’ may include close allies. While some details are tantalizingly patchy, for the most part the sheer volume of files and the range of areas to which they refer are nothing short of mind boggling. And although the drip-feed disclosures began in June 2013, they continue to be released, with the result that any commentary is open to further modification.

Moreover, the impact of Snowden’s whistleblowing leaks is now being felt more profoundly at a national policy level, in 2015, in more than one context. First, the US Freedom Act, passed on June 2, 2015, restored in modified form some aspects of the post-9/11 Patriot Act but crucially, restricts the bulk collection of telephone metadata of American citizens. Second, on June 11, a major governmentcommissioned report on counter-terrorism measures, A Question of Trust, by David Anderson, called for curbs on the UK’s GCHQ. In particular, it is highly critical of the existing system of oversight of intelligence agencies. Neither of these would have been possible without Snowden.

Both what may be learned from the disclosed documents and what may be seen of their direct impacts provide the basis for some serious re-thinking of some assumptions about surveillance in the 21st century. To take one prominent example, the very term ‘surveillance’ may require some new qualification. What is known about NSA practices raises questions about the supposed clear distinction between ‘mass’ and ‘targeted’ surveillance, and the wholesale use of ‘metadata’ foregrounds long-standing debates about how to define ‘personal data’ (or ‘personally identifiable information’). What goes for the ‘subject’ of surveillance applies to ‘privacy’ as well. Each requires some serious rethinking.

On these questions, themselves seen as controversial by defenders of the NSA’s practices, there is little settled opinion as yet. If data are sought on a ‘mass’ basis, from wide swathes of a given population, with a view to identifying algorithmically through correlations who might be a ‘person of interest,’ the point at which ‘mass’ becomes ‘targeted’ surveillance is at best an indeterminate threshold. And if the kind of data obtained in the first instance are in fact metadata—such as IP address, duration of call, which friends were contacted?—then they comprise just the kinds of information that a private detective might seek: who spoke to whom, when, and for how long? Despite protestations to the contrary, it is hard to deny that such metadata are highly ‘personal,’ especially now that the US Freedom Act explicitly limits such collection.

That the activities of the NSA and its sister agencies around the world are controversial is made abundantly clear by government efforts in more than one country to use the term ‘bulk collection’ of data rather than ‘mass surveillance.' 2 In a case in 2000, the European Court of Human Rights concluded that even the storing of data relating to the “private life” of an individual falls within the application of Article 8.1 of the European Convention on Human Rights (Bowden cited by Greenwald 2015). But the debates over this are fierce in countries such as the UK and US. This article argues that gathering and analyzing metadata, including content of communications, is best thought of as ‘mass’ surveillance, even though, as noted above, locating ‘suspects’ is still the main aim.

Surveillance Studies, the multi-disciplinary field of research dedicated to understanding in context contemporary practices such as monitoring, tracking and identification, is well positioned to respond to the new challenges raised by the Snowden files. However, the case made here is that, while some challenges are direct ones, to our grasp of substantive aspects of surveillance processes, others are indirect. While no claim is made about the exhaustiveness of the analysis that follows, it does suggest that Surveillance Studies can make significant contributions to considering each kind of challenge.

Snowden’s own comments about Orwell point in this direction, too. Given that, for many people, the spectre of Big Brother is still the one that fuels the imagination regarding mass surveillance, there is a need to place Orwell’s dystopic and cautionary tale in context. For Snowden, this is primarily a technological matter; “quaint” microphones hidden in bushes and the telescreen that can observe us have given way to mobile webcams and network microphones in cell-phones. But while Orwell cannot be blamed for not foreseeing the consequences of the so-called information revolution, it is also worth recalling that, like Max Weber or Hannah Arendt, 3 Orwell saw surveillance as in part an outcome of a relentless rationality expressed in bureaucratic procedures. That constraining cultural condition undoubtedly helps to explain why surveillance is in one sense self-augmenting. But more than that is needed to indicate in particular what difference is made by the digital.
Snowden’s conviction is that due to surveillance, today’s “…world is much more unpredictable and dangerous” than Orwell could have guessed. This too represents a genuine challenge from Snowden, not only to upgrade our grasp of new technology, but also place any and all technological systems in their social, political-economic and cultural context. The use of metadata, for example, is no mere outcome of technological potential, such as the exponential expansion of storage power, but of specific approaches to risk management in security industries and of consumer clustering in marketing, each of which has risen to prominence in contexts where globalization—understood as neo-liberalism—holds sway.

In what follows, three kinds of challenge are identified and discussed. The first, ‘research disregard,’ is in a sense historical: why the shocked and outraged responses to Snowden’s revelations as if this is the first we have heard of very large scale surveillance in the early 21st or even late 20th century? The second has more to do with substantive and current challenges emerging from the revelations themselves; I label it ‘research deficit.’ I indicate some areas that require some serious reappraisal in our understanding of surveillance today. The third, ‘research direction,’ points rather to the future, suggesting that the larger context of the Snowden revelations is the fate of the internet. Surveillance should never be thought of as a discrete dimension of the modern world. Today, it cannot be understood without investigating information and its current conduit, the internet. In a coda, I return to the issues of how to rethink ‘surveillance’ and ‘privacy’ for today.

These, then, are the Snowden stakes. The revelations have rightly remained buoyant in the headlines, just because so much is “at stake,” not merely for Surveillance Studies or the future of the internet, but more significantly, for privacy, human rights, civil liberties, freedom and justice.

Research disregard

The Snowden revelations continue to make headline news and several major diplomatic events have been sparked by them. Angela Merkel, Germany’s Chancellor and Dilma Roussef, the Brazilian president, for example, say they were shocked to discover that their cell-phone conversations had been monitored. 4 As well, individual populations outside the US have reacted negatively on finding that the NSA has been active in unexpected ways within their national territory. In Canada, for example, it was disclosed that the NSA had set up shop in the capital, Ottawa, in order to monitor the G8, G20 summit in June 2010 (Weston, Greenwald and Gallagher 2013).

Broadly speaking, at least three elements of surveillance practices became strikingly evident during 2013 and since. One, governments engage in mass surveillance on their own citizens. The NSA works closely with the ‘Five Eyes’ of Australia, Canada, New Zealand and the UK but their activities are also mirrored in many other countries. Two, corporations share their ‘own’ data supplies with government, to mutual benefit. This happens as internet companies in particular, knowingly or not, collude with government to provide personal data. Three, ordinary citizens also participate through their online interactions— especially in social media—and cell-phone use. Without necessarily being aware of it, we all feed data to the NSA and its cognate agencies, just by contacting others electronically (Lyon 2013).

However huge the revelations, though, it has to be said that there was little that was completely new about the three surveillance elements mentioned here. Granted, the massive import of the Snowden disclosures lay in the substantial store of clear evidence pointing to the present and ongoing reality of mass surveillance and this was undoubtedly new. When the news first broke in The Guardian on June 5 2013, several factors were startling. Verizon, the telecom giant, was required by the NSA to give information on all calls within the USA and between the USA and other countries between April and July that year. Secret domestic spying on an astounding scale was happening under President Obama (Greenwald 2013). But the international outcry against the realities of mass surveillance now revealed gave the impression that citizens were quite unaware and unprepared for what they now were hearing.

This suggests that surveillance was not really on the radar of most ordinary citizens. But still, to those engaged in examining surveillance and in proposing legal, technical and policy responses, the sense of unawareness may have come as something of a disappointment; it is easy to over-estimate the reception of our own work. Also, most responses worry about the assault on privacy, construed as a personal - understood as individual - matter, which shows little understanding of the ways that surveillance also operates as social sorting, targeting primarily population groups before individuals, or of how privacy speaks to these questions of human rights and social justice as well. The main exception to the individualizing focus on privacy is among those whose concern is that communications privacy has been egregiously violated, which prompts weighty questions about trust in particular.

The popular and media debate over Snowden has focused all-too-frequently on state surveillance primarily as a threat to individuals, except where the challenge to a free and open internet has been recognized. Yet the evidence shows that arbitrary power is used against all citizens when mass surveillance is practiced. As a number of advocates have argued for some time (Regan 1995; Bennett and Raab 2006; Steeves 2009), privacy is not only an individual matter. Surveillance and privacy can each be considered along a spectrum of relationships, from the monad to the multitude. By definition, mass surveillance means that anyone and everyone can be caught in the surveillance net and the larger the scale of surveillance, the more likely it is that false positives will emerge in the quest for ‘persons of interest.’ These questions are pursued below.

Despite two decades of growth in Surveillance Studies there seems to be little public understanding of surveillance as it is practiced today. The sorts of practices uncovered by Snowden are ones that have a long history, not only in the annals of intelligence gathering and national security agencies, but in spheres from policing to public administration to consumer marketing. This should be salutary for those engaged in the academic study of surveillance and indeed for any who care about freedom, democracy and justice in the 21st century (for a no-holds-barred critique see Giroux 2014). It is worth briefly reviewing that development.

In the 1980s those interested in the study of surveillance were concerned primarily with state surveillance on the one hand (e.g. Burnham 1983; Campbell and Connor 1986) and workplace surveillance on the other (e.g. Webster and Robins 1986; Zuboff 1988). More broadly, surveillance in the service of ‘social control’ was discussed in relation to policing and the management of offenders (e.g. Cohen 1985; Marx 1988), and this dimension was already merging, in part with questions of ‘national security.’ However, research on consumer surveillance—and its links with systems of public administration—were also available at this time (see the pioneering work of Rule 1974) but consumer surveillance would not be recognized as part of mainstream surveillance developments until the 1990s (see, prominently, Gandy 1993). Without exception, these authors stressed the impact of computerization on the ways that these existing forms of surveillance, including public video cameras, would develop.

By the 1990s, however, the term ‘surveillance society’ was in much more general use as a term that indicated the ways that what once seemed to be restricted to the activities of government, policing or employment was spilling over into everyday life (Lyon 2001). This term in no way minimized the importance of state surveillance but did indicate that systemic surveillance of many kinds could be expected simply as a result of conducting one’s daily affairs. Increasingly, surveillance became visible through ubiquitous cameras in public streets and locations such as shopping malls, the use of credit cards and, progressively, loyalty cards, plus, in some rudimentary ways, through online interactions that expanded after the development of the World Wide Web in 1994 and the subsequent commercialization of the internet, from 1995.

During the early 2000s, two events occurred that were to shape the direction of surveillance decisively, although the potential connections between them were not made public until 2010. One was the attacks of September 2001 (‘9/11’), and also the London bombings of ‘7/7’, and the Madrid train attack, the aftermath of which hugely boosted security-related surveillance at least in the global north. Interestingly, the activities of the quickly-formed Department of Homeland Security took some cues from ‘Customer Relationship Management’ (CRM) in their quest for ‘Total Information Awareness (TIA)’ (Lyon 2003: 92f). The other was the definitive appearance of social media, symbolized by the invention of Facebook in 2004, that quickly established itself as a mainstream dimension of the internet, simultaneously facilitating new levels of consumer surveillance (not to mention social surveillance, Marwick 2012; Trottier 2012), now based on self-expressed preferences and tastes. By President Obama’s inauguration in 2009 the DHS had developed a Social Networking Monitoring Center to check for ‘items of interest’ (Lynch 2010).

In a sense, then, the Snowden disclosures may be functioning as a wake-up call to publics still unaware that the day of mass surveillance of ordinary citizens had already dawned. If it was not already clear, after 9/11 the ‘national security’ rationale for intensified surveillance (Ball and Webster 2003) became prominent and with it the use of data analytics (now generally referred to as ‘Big Data,’ Lyon 2014a). The TIA was dependent on a very large-scale database using “new algorithms for mining, combining and refining data” 5 that included bank machine use, credit card trails, internet cookies, medical files — anything, indeed, that might produce interesting correlations that might indicate meaningful relationships between records. These, the Snowden files show, are among just the methods used by the NSA in its surveillance both domestic and foreign.

Without doubt, Snowden is right to raise issues of privacy, civil liberties—including freedom of expression, communication and assembly—and human rights in relation to what his findings have exposed about the NSA and its cognate agencies around the world. But what many studies of surveillance over the past two decades have shown is that deeper questions are raised that challenge many conventional assumptions about contemporary societies, their actual forms of power, their politics and their democratic institutions and processes. As the above analysis shows, this is not only a question of electronicallyenhanced bureaucratic power bearing down upon hapless citizens. It also has to do with how those citizens engage with the everyday, in communication, interaction and exchange, much of which occurs using digital devices. Arguably, then, it is also a matter of a surveillance culture (Lyon 2014b) in which an increasing proportion of the world’s population lives and to which, for a number of reasons, many have become inured.

As well as the more fundamental societal-cultural questions raised by the Snowden findings, the key issues of contemporary surveillance may also be discerned through considering some major trends that have become increasingly evident in the past decade or so (and in the following section, we explore how some of these intersect with three central Snowden-specific questions). In addition to the sheer exponential growth of surveillance, as it has increasingly become a basic mode of organizational practice, several other significant trends may be identified (for more on this, see Bennett et al. 2014; Brown 2010).

As mentioned earlier, security is becoming a key driver of surveillance, not only at the ‘national’ level but also in general types of policing, urban security and in workplaces, transit systems and schools (Taylor 2013). This is of course, a key issue and one fraught with basic problems of definition, which also relates to its status as a widely-used political rationale for a range of controversial measures. The kind of ‘national security’ that prompts increased surveillance arguably has little in common with the kinds of ‘security’—from things like famine, fear, even freedom—that many might think would benefit their communities and families. Moreover, in practice, many current attempts to procure national security seem to jeopardize the civil liberties and human rights basic to democratic practice (see Zedner 2009).

At the same time, it must be acknowledged that not only ‘security’ but also some much more mundane motifs are significant in the development of surveillance today. One is ‘efficiency,’ that encourages the use of cost-cutting policies and technology-intensive solutions and the other is ‘convenience’ that dominates much of the appeal of marketers to consumers. Under such very ordinary and unremarkable motifs surveillance expands apace, as evidence-producing technologies (as Josh Lauer calls them) are adopted for reasons that are routine and everyday.

‘Security,’ on the other hand, is still supreme among these ‘drivers.’ For philosopher Giorgio Agamben, the security motif seen behind contemporary surveillance may be trumping not only democracy but politics itself (Agamben 2013) and this insight may at least serve as a theorem to be explored. At the same time, this trend must be seen alongside another, the intertwining—and in some respects integration—of public and private agencies. The governmental and the corporate have always worked closely together in modern times but the idea that they inhabit essentially different spheres, with different mandates, is currently unraveling. As Snowden revealed, telephone companies such as Verizon and internet companies such as Microsoft work in tandem with state agencies such as the NSA, in ways that have yet to be fully understood.

Several other important trends also deserve mention, if only to flag their significance (they are discussed in Bennett et al. 2014). Mobile and location-based surveillance is expanding, which means that the timeand-space coordinates of our lives are increasingly monitored. Surveillance is more and more embedded in everyday environments such as buildings, vehicles and homes. Machines recognize individual owners and users through card-swiping or voice-activation. The human body is itself the source of surveillance data, with DNA records, fingerprinting, facial recognition coming to be viewed as reliable means of identification and verification. Moreover, all these trends are rapidly being globalized, which is in itself a surveillance trend of some import. As mentioned above, social surveillance via networking sites is rising, a topic we return to below. And in all this, it becomes steadily more difficult to know what exactly counts as ‘personal data.’ Vehicle licence plates, presence in group photos posted on social media and of course metadata make definition difficult.

All the above stand as challenges to Surveillance Studies in particular, and to any and all citizens of contemporary liberal democracies in general. There are, however, some more specific questions to which I now draw attention. These are areas in which, after Snowden, we are obliged to say that current surveillance research simply does not yet know enough.

Research deficit

If the historical problem is the apparent disregard of research about surveillance, permitting a sense of surprise rather than sober expectation, then the contemporary problem is that current research has yet to catch up with some vital surveillance developments. In each case—digital infrastructures, professional networks and social media practices—the difficulty of identifying the object of research is compounded by misleading language, dubious assumptions and inadequate theory. There is no conspiracy here, just an analytic fog that has to clear before the contours of each situation can be seen more sharply.

The first issue is one that may be most dramatically seen in relation to cloud computing (fog again?) and the electronic transfer of data from place to place. The metaphor of the cloud originated in diagrams intended to demonstrate how information is moved around (Mosco 2014: 77). The impression given—and reinforced through cloud marketing—is that somehow data flits weightlessly through the ether when in fact the actual conduits are fibre-optic cables. There is a geographical and material element to the cloud that belies the benign, fluffy, floating image. That material-geographic element is crucial to power configurations. Part of this has to do with the leading role of the US, through the NSA. As Andrew Clement shows, data files sent from the University of Toronto to the Ontario government (a few city blocks away, also in Toronto) actually travel down fibre-optic cables in a “boomerang” pattern to US data-handling interchanges before reaching their destination back in Canada (Clement 2013). They thus travel though a quite different data regime than Canada’s. But new power configurations are also generated by the capacity to tap into digital data, which depends on cooperation between participating countries in order to obtain general views of the operation of the internet.

NSA programs use such cables to collect (Upstream, Quantuminsert—see also commercial versions of such hacking programs 6 and to intercept (Tempora) data. Interceptors are placed strategically along the cable routes, a practice undertaken by many countries, as Snowden’s work shows, and through Global Crossing security agreements with private companies much of the world’s fibre optic cable is accessible to the US (Timberg and Nakashima 2013). More targeted surveillance occurs using systems like XKeyscore, which is linked to the PRISM program. XKeyscore also stores material in data caches spread around the world in specific locations (see map in Bennett et al. 2014: 113). PRISM, in turn, depends on consumer data obtained from internet companies through social media and cloud platforms (such as Dropbox; see Bauman et al. 2014: 123).

The second issue is that it is hard to pin down exactly who is conducting surveillance. Although the term ‘state’ surveillance is common in everyday parlance, those who stand in for ‘state’ employees are many and varied, and this follows from the point above about the blurring between public and private sectors. Snowden’s own position before his departure with the documents illustrates this. He worked for Booz Allen Hamilton, whose expertise was subcontracted to the NSA. Didier Bigo (e.g. 2008; see also Ball and Snider 2013; Bauman et al. 2014: 124-131; Lyon and Topak 2013) has for some time drawn attention to the ways in which “security professionals” now form an international network, operating in different countries but with extensive cooperation. These are intelligence agents, technical experts, police (both public and private), advisers and others whose immediate genesis lies in post-9/11 international antiterrorism cooperation but has now expanded into a clearly discernible network of some considerable influence.

Importantly, older distinctions break down as this network of “unease managers” (as Bigo calls them) develops. They connect public and private agencies, internal and external security, national and international interests and so on. This development grows alongside the digitization of security and surveillance such that, paradoxically, ‘national’ security is no longer ‘national’ in “…its acquisition or even analysis, of data…” which helps to blur “…the lines of what is national as well as the boundaries between law enforcement and intelligence” (Bauman et al. 2014: 125). This issue is related to the one mentioned above, about the uncertainty of who actually carries out surveillance, although the further point here is that a loose affiliation of professional organizations can be identified. They work together, learning from each other and developing their own protocols, rationales and surveillance practices.

As the examples from the US show, similar surveillance practices occur across the board, whether in the DHS, CIA, FBI or the NSA (or, for that matter, in the UK’s GCHQ or Canada’s CSEC). These ‘acronym’ policing and intelligence organizations also rely on similar subcontracting organizations that also display similar technical, statistical and political-economic activities (see Ball and Snider 2013). Both policing and intelligence agencies have military connections that also influence their practices and as well the traffic is two way: information handling is crucial to each, such that policing becomes more data-heavy (Haggerty and Ericson 1997) and also more inflected by military method (Brodeur 2010). In all cases it is also clear that such organizations do not just react to perceived threats to national security or to criminal acts. They actively construct the target populations and refine the rationales for so-doing. This is where the commercial connections with technology corporations also become centrally significant, in conjunction with government actors. Policy influences and is influenced by the corporate and technical approaches and practices. At an organizational and network level, then, relationships are manifold and complex.

The third ‘research deficit’ question has to do with the tissues connecting these organizational networks and their practices with the subjects of surveillance or, more properly, with target populations. The internet, and above all social media, are crucial here, although cell-phone use is another linked dimension of the same question. It is important to recall that social media is a 21st century phenomenon of only very recent provenance. Yet it has grown at an astonishing speed and with amazing global reach such that it is now one of the dominant aspects of internet use. While much significant social research has occurred in this area—particularly with the help of units such as the Oxford Internet Institute in the UK or the Pew ‘Internet and American Life’ program—understanding how social media users operate in relation to practices and concepts relating to surveillance and privacy is still very much an infant subfield and a vital research priority (see, e.g. Fuchs 2014; Marwick 2013; Trottier 2012).

In a longer historical frame, it might seem strange that social media users would freely permit personal details to be widely and promiscuously circulated online, thus making them vulnerable to intense surveillance both by the corporations that seek their data for marketing purposes and by policing and intelligence agencies. Such willing compliance would surely have puzzled and bothered an Orwell, attuned as he was to the use of new technologies to procure popular subservience to the state. But there is a strong sense in which today’s situation is decidedly post-Orwellian. Not merely that the technologies of surveillance have been hugely upgraded, but that surveillance practices are common to all organizations, which amounts to surveillance “regimes” (Giroux 2014: 7) and as I noted above, a surveillance culture. In such a culture, surveillance is not only a form of entertainment but also something encountered in everyday life and in which many knowingly and actively engage themselves. Lives are lived, in part, online.

The research question that presents itself here is what long-term impact the Snowden revelations and their aftermath will have in informing and perhaps reorienting the practices of social media users. This involves careful analysis of how users themselves perceive the situations in which they find themselves and the practices they pursue online. For instance, Pew researchers found that social media users are unwilling to discuss Snowden online—and offline too—preferring safer environments such as the dinner table for such conversations. 7 As well this is a challenge for policy and advocacy research that is willing to go beyond conventional understandings of surveillance and, especially, privacy (see e.g. Cohen 2012).

This also involves fresh investigations of the potential of internet communication for questioning and resistance to forms of surveillance deemed excessive, unnecessary, or illegal. One the one hand, numerous internet-related NGOs and lobby and pressure groups have formed a disparate social movement to demand accountability for, and transparency about, the surveillance practices exposed by Snowden. 8 On the other, everyday engagement of users with social media may be reflexively informed by growing knowledge of how surveillance works in the world after Snowden. Concepts such as “exposure” (Ball 2009) find new critical import for understanding how, how much, and under what circumstances users reveal personal data to others.

These questions lead into a more general inquiry about the future of internet-related surveillance research, which, I argue in the next section, has risen in significance to stand today as a key area—in the sense that it informs many other areas —in surveillance research.

Research direction

Internet freedom—the ability to use the network without institutional constraints, social or state control, and pervasive fear—is central to the fulfillment of [its] promise. Converting the internet into a system of surveillance thus guts it of its core potential.
(- Glenn Greenwald 2014: 6)

Any field of study, including that of surveillance, is obliged to review from time-to-time the main force-fields that shape the object of analysis. Today the internet is bound up with surveillance at many levels and thus deserves special attention. This section argues that the research direction for Surveillance Studies should be strongly inflected by issues of information and the internet. The kinds of surveillance that have developed over several decades are heavily dependent on the digital—and, increasingly, on what is now labelled Big Data—but also extend beyond it. As Greenwald indicates, the Snowden revelations raise as a key issue the future of the internet. While it is true that modern societies have been ‘information societies’—and thus ‘surveillance societies’—from their inception (Lyon 2005), today information and its central conduits have become an unprecedented arena of political struggle, centred on surveillance. This suggests that both analytically, in terms of research directions, and politically, in terms of practice and policy, the internet and surveillance are bound in a mutually-informing relation.

The use of internet for surveillance is not new but its scope has never been greater. For many, such as Greenwald and Snowden himself, this is a great betrayal of the initial wave of optimism about its democratic potential with which the internet was born. The hoped-for human benefit pre-dated the commercialization of the internet but versions of it were also woven-into many corporate aspirations in Silicon Valley and elsewhere from the 1990s onwards. Some popular and prescient writers such as Ithiel de Sola Pool (1983) foresaw the development of what we now call the internet, arguing that it was a key carrier of technological freedom. He insisted that free speech would become a vital issue. How regulation and access were organized would determine whether or not the new communications would enhance democracy as the political platform and the printing press had done before.

What happened to those utopian dreams of the ‘information revolution’ pundits of the 1980s? After all, they had correctly noted the emancipatory and democratizing possibilities offered by the new technologies. But Ithiel de Sola Pool and others of his ilk perhaps paid insufficient attention to the already-existing political economy informing information technologies—not to mention the over-arching cultural belief in the power of Technology. Together, they led to a failure to note that the new technologies might be deemed efficacious despite evidence to the contrary, and to see the flaws in the analysis that sees knowledge as a new and independent factor of production. Following Karl Polanyi (1944, 2001), one might think of informational knowledge as in fact a ‘fictitious commodity’ that has been cut off from its social origins in creative labour as an ‘independent’ form in expert systems or virtual services (Hayles 1999), integrated into an economic system of general commodification where profit is the bottom line, and is allocated through the market, where reciprocity or social justice have little or no say (Jessop 2007; also Schiller 1988). The commodification of the internet in 1995 was a critical moment in the more general development of information as a fictitious commodity.

However, De Sola Pool’s thirty-year-old comments on freedom of speech came home dramatically as documents were released by Snowden. By this time matters had become polarized. Right on the heels of the news about the NSA’s access to Verizon telephone subscriber data came the disclosures about the PRISM program that directly implicated major internet companies such as Microsoft, Yahoo!, Google and Facebook. Urgent exchanges occurred, some of which involved some puzzlement on the part of the companies: yes, they had parted with some data but the revelations seemed to suggest that far greater quantities were involved than they had themselves authorized. As it transpired, beyond the FISAauthorized access to data held by internet companies, the NSA had also found ways to intercept upstream in the data flow, using systems such as Muscular, developed by the NSA along with Five Eyes partner the UK GCHQ (Gellman and Soltani 2013).

As Steven Levy noted in a Wired article (Levy 2014), the Snowden ‘revelations’ exposed a “…seemingly irresolvable conflict. While Silicon Valley must be transparent in many regards, spy agencies operate under a cloak of obfuscation.”

Snowden’s findings shone a spotlight on an issue of which internet companies had been all too aware for some years. Companies such as Google, Yahoo! and Twitter had struggled to hold off government attempts, through the Foreign Intelligence Surveillance Act (FISA) court, to oblige them to hand over customer data. To their credit, the companies seemed to have tried to ward off such efforts 9 but the combination of government power and the fact that the companies also have government contracts compromised the struggle somewhat. PRISM focused the fight, but the secrecy surrounding the NSA has made it very difficult to know exactly what is happening. They are fighting in a fog. This also presents problems for those trying to research corporate-government surveillance relations.

The details of the ongoing controversies and battles may be found on various sites 10 but the theme that unites them is surveillance and the future of the internet. This has several implications for analysis and action.

One important outcome is that those studying surveillance have come to realize that those researching communications have much to offer. From Oscar Gandy’s or Joseph Turow’s pioneering work in consumer surveillance to Mark Andrejevic’s or Alice Marwick’s explorations of online surveillance (Gandy 1993, 2012; Turow 2012; Andrejevic 2007, 2013; Marwick 2013), not to mention ongoing work on communications surveillance itself, the connections are clear. Those whose surveillance background is in criminology or public policy in particular may need to strengthen their analyses by examining more closely how the internet intersects with their understanding of surveillance. Equally, those grappling with questions about internet surveillance would do well to look at the literatures of surveillance—and of privacy—more broadly conceived (e.g. Raab and Goold 2011).

A second area is to explore further the analytical possibilities for considering information as a fictitious commodity. One could argue, for example, with the strong push towards so-called Big Data, that the severing of connections between information and its social roots is now even more pronounced. In N. Katherine Hayles’ analysis, information “loses its body” dating from the time of the 1950s Macey Conferences on communication theory onward. But I would argue that now so-called personal data progressively loses its ‘person’ (Lyon 2014a). When data gathered for commercial (marketing) purposes—which already stretch the links between data and individuals—are then resignified for security goals, quite new social and legal problems appear (Amoore 2014). All too often, inappropriate talk of ‘raw data’ gives the impression that they are harmless technical means of connecting the dots through algorithms. The practices and politics of algorithms are profound but scarcely explored (but see e.g. Kitchin 2014; Morozov 2013).

A third area of concern has to do with the politics of the internet in the era of ‘mass’ surveillance. In an obvious sense, this has been a key aspect of the Snowden controversies from the outset. Governments, including the US Administration, have been obliged to respond to the continuing debates over state power and its entwinement with commercial networks, especially internet companies (see e.g. Clarke et al. 2014). But the politics of internet surveillance is also a strong current running through the internet companies themselves—they have had to distance themselves from the NSA while at the same time acknowledging that they do cooperate extensively with government. Alongside these areas of turbulence is the active resistance of numerous NGOs who are engaged with both the civil liberties and privacy dimensions of mass surveillance and, again, the future of the internet itself. The new coalitions that have formed since Snowden, between EPIC, EFF and ACLU in the US, for instance, or under the banner of OpenMedia in Canada, are making waves in fresh ways and building creatively towards consensus on each new Snowden revelation. Could this be the more concerted response to surveillance that Colin Bennett concluded was still lacking when he published his 2008 book, The Privacy Advocates?

The future of the internet still hangs in the balance as the revelations about mass surveillance continue. As Ron Deibert indicates in Black Code (2013), broad issues of enclosure, secrecy and the arms race are all implicated here. And as Jonathan Zittrain (2009) reminds us, from a different standpoint, the internet has never had a golden age. The problems as well as the potential were built-in from the outset. Analysis of the spread of surveillance has never been more significant, from the threats to individual people to the consequences for war and peace, wealth and poverty, on a global level.

Coda: Snowden, surveillance and privacy

This article has surveyed some of the most striking implications of what, thanks to Snowden, we now know about ‘national security’ surveillance in the early 21st century. The historical question is, why, when the surveillance society is already so well-developed, were Snowden’s ‘revelations’ read in the media as a complete surprise? The current question asks what key aspects of today’s surveillance require new forms of analysis, along with policy and political response? The future question considers what the internet has now come to signify, and how it might be reclaimed for its original promise, given that it is the key site for surveillance practices at several levels?

At the outset, however, we noted that the Snowden revelations raise questions about the very language commonly used to discuss the monitoring and tracking of daily life and responses to these practices: surveillance and privacy. Concepts are always contested, some more than others. And definitions are always difficult because they reveal the time, place and cultural assumptions of their origins. Again, these questions have been raised before, but perhaps never so sharply as in relation to the post-Snowden scene. Once, the distinction between targeted and mass surveillance seemed fairly clear. No more. The lines blur with traffic between the two; is the person or the profile being surveilled? Once, privacy was construed primarily as a matter relating to the interests, or rights, of a specific identifiable individual. No more.

When profiling is ‘anticipatory’ and hunches about a possible ‘nexus’ to terrorism are the basis of suspicion, how exactly does privacy address this?

It has been argued here that the kinds of surveillance highlighted by the Snowden revelations are on the one hand information-intensive, often relating to the internet and on the other, ‘national security’-oriented. The concept of ‘security’ also requires problematizing in this context, which is yet another task for the multi-disciplinary research that today is patently urgent. As with surveillance or privacy, defining security is difficult especially under present conditions, where ‘national’ security has been elevated to a top priority by many governments. It is a highly contested concept (Zedner 2009) often erroneously supposed to be in conflict 11 with claims to a right to privacy or to civil liberties. Much more nuanced understandings of security are required if the term is to retain any connection with the desires, aspirations and indeed well-being of everyday citizens. And these must be considered in relation to the other concepts— surveillance and privacy—affected by the ‘Snowden stakes’ and discussed here (see Raab 2014; Bigo [2008] 2012; Lyon 2015).

The Snowden stakes are many and varied and differ from country to country. But this complexity should not be allowed to obscure the fact that in all cases those stakes are high. The disclosures challenge some taken-for-granted assumptions and expose the real gaps in current knowledge. But this is not only a matter for those engaged in surveillance research—from whatever discipline; this is a multi-disciplinary enterprise involving not only the social sciences but investigative journalists and computer professionals as well. 12 At stake, in particular, is the future of the internet and of digital communications in general. This article tries to stress the magnitude of this challenge and hints at some ways in which this can at least be described and analyzed that do not conform to some of the dangerously dominant assumptions currently available. But the stakes are even larger and they include the very character and possibilities for politics, democracy and social justice in a time of post-Orwellian big data surveillance.


Agamben, Giorgio. 2013. For a theory of destituent power. Chronos. Available at:

Amoore, Louise. 2014. Security and the claim to privacy. International Political Sociology 8(1) 108-112.

Andrejevic, Mark. 2013. Infoglut: How too much information is changing the way we think and know. London: Routledge.

Andrejevic, Mark. 2007. iSpy: Surveillance and Power in the Interactive Era. Lawrence: University of Kansas Press.

Ball, Kirstie S. and Laureen Snider, eds. 2013. The Surveillance-Industrial Complex: A Political Economy of Surveillance. London and New York: Routledge.

Ball, Kirstie S. 2009. Exposure: exploring the subject of surveillance. Information, Communication & Society 12 (5): 639-657.

Ball, Kirstie S. and Frank Webster, eds. 2003. The Intensification of Surveillance. London: Pluto Press.

Bauman, Zygmunt, Didier Bigo, Paulo Esteves, Elspeth Guild, Vivienne Jabri, David Lyon and R.B. Walker. 2014. After Snowden: Rethinking the impact of surveillance. International Political Sociology 8 (2): 121-144.

Bennett, Colin J. 2008. The Privacy Advocates: Resisting the Spread of Surveillance. Cambridge, MA: MIT Press.

Bennett, Colin J. and Charles D. Raab. 2006. The Governance of Privacy: Policy Instruments in Global Perspective. Cambridge, MA: MIT Press.

Bennett, Colin J., Kevin D. Haggerty, David Lyon and Valerie Steeves, eds. 2014. Transparent Lives: Surveillance in Canada. Edmonton AB: Athabasca University Press. Also available at:

Bigo, Didier. 2008. Globalized (in)security: The field and the banopticon. In Didier Bigo and Aanastassia Tsouskala, eds. Terror, Insecurity and Liberty. London and New York: Routledge.

Bigo, Didier. 2012 [2008]. International Political Sociology. In Security Studies: An Introduction, ed. P. Williams, 116-128. Abingdon: Routledge.

Brodeur, Jean-Paul. 2010. The Policing Web. Oxford and New York: Oxford University Press.

Brown, Ian. 2010. The challenges to European data protection laws and principles. Woking paper #1 of the Directorate General Justice Freedom and Security. Available at:

Burnham, David. 1983. The Rise of the Computer State. New York: Vintage.

Campbell, Duncan and Steve Connor. 1986. On the Record: Surveillance, Computers and Privacy. London: Michael Joseph.

Clarke, Richard, Michael Morrell, Geoffrey Stone, Cass Sunstein and Peter Swire. 2014. The NSA Report: Liberty and Security in a Changing World. Princeton, NJ and Oxford: Princeton University Press.

Clement, Andrew. 2013. IXmaps – Tracking your personal data through the NSA’s warrantless wiretapping sites. IEEE International Symposium on Technology and Society. (IEEE Explore Digital Library: 216-223, doi:

Cohen, Julie. 2012. Configuring the Networked Self. New Haven, CN: Yale University Press.

Cohen, Stanley. 1985. Visions of Social Control. Cambridge: Polity Press.

Dandeker, Christopher. 1990. Surveillance Power and Modernity. Cambridge: Polity.

De Sola Pool, Ithiel. 1983. Technologies of Freedom: On Free Speech in an Electronic Age. Cambridge, MA: The Belknap Press.

Deibert, Ronald. J. 2013. Black Code: Surveillance, Privacy and the Dark Side of the Internet. Toronto: Signal (McClelland & Stewart).

Fuchs, Christian. 2014. Social Media: A Critical Introduction. London: Sage.

Gandy, Oscar. 2012. Coming the Terms with Chance: Engaging Rational Discrimination and Cumulative Disadvantage. London: Ashgate.

Gandy, Oscar. 1993. The Panoptic Sort: A Political Economy of Personal Information. Boulder, CO: Westview Press.

Gellman, Barton, and Ashkan Soltani. 2013. NSA infiltrates links to Yahoo, Google data centers worldwide, Snowden documents say. The Washington Post. October 30. Available at:

Giroux, Henry. 2014. Totalitarian paranoia in the post-Orwellian surveillance state. Cultural Studies. Online May 14. Available at:

Greenwald, Glenn. 2015. The Orwellian re-branding of mass surveillance as merely ‘bulk collection.’ The Intercept March 13. At

Greenwald, Glenn. 2014. No Place to Hide: Edward Snowden, the NSA, and the US Surveillance State. New York: Metropolitan Books,Toronto: McClelland and Stewart.

Greenwald, Glenn. 2013. NSA collecting phone records of millions of Verizon customers daily. The Guardian. June 5. At

Haggerty, Kevin D. and Richard V. Ericson. 1997. Policing the Risk Society. Toronto: University of Toronto Press.

Hayles, N. Katherine. 1999. How we became Posthuman: Virtual Bodies in Cybernetics, Literature, and Informatics. Chicago: University of Chicago Press.

Jessop, Bob. 2007. Knowledge as a fictitious commodity: insights and limits of a Polanyian analysis. In Reading Karl Polanyi for the 21st Century: Market Economy as a Political Project, eds A. Bugra and K. Agartan, 115-134. Basingstoke: Palgrave. Kitchin, Rob. 2014. The Data Revolution: Big Data, Open Data, Data Infrastructures and their Consequences. London: Sage.

Lauer, Josh. 2012. Surveillance history and the history of new media: evidence-producing technologies. New Media and Society 14 (4) 566-582.

Levy, Steven. 2014. How the NSA almost killed the internet. Wired. July 1. Available at:

Lynch, Jennifer. 2010. New FOIA documents reveal DHS social media monitoring during Obama inauguration. Available at:

Lyon, David. 2015 (forthcoming). Surveillance after Snowden. Cambridge: Polity.

Lyon, David. 2014a. Surveillance, Snowden and Big Data: Capacities, Consequences, Critique. Big Data & Society 1 (1). Available at:

Lyon, David. 2014b. The emerging surveillance culture. In Media, Surveillance and Identity, eds André Jansson and Miyase Christensen. New York: Peter Lang.

Lyon, David. 2013. Can citizens roll back silent army of watchers? The Toronto Star. September 23. Available at:

Lyon, David and Özgün Topak. 2013. Promoting global identification: corporations, IGOs and ID card systems. In The Surveillance-Industrial Complex: A Political Economy of Surveillance, eds Kirstie S. Ball and Laureen Snider, 27-43. London and New York: Routledge.

Lyon, David. 2005. A sociology of information. In The Sage Handbook of Sociology, eds Craig Calhoun, Chris Rojek and Bryan Turner. London and New York: Sage.

Lyon, David. 2003. Surveillance after September 11. Cambridge: Polity.

Lyon, David. 2001. Surveillance Society: Monitoring Everyday Life. Buckingham: Open University Press.

Morozov, Evgeny. 2013. The real privacy problem. MIT Technology Review. October 22. Available at:

Marquez, Xavier. 2012. Spaces of appearance and spaces of surveillance. Polity 44: 6-31.

Marwick, Alice. 2013. Status Update: Celebrity, Publicity and Branding in the Social Media Age. New Haven, CT: Yale University Press.

Marwick, Alice. 2012. The public domain: Surveillance in everyday life. Surveillance & Society 9 (4): 378-393.  Marx, Gary. 1988. Undercover: Police Surveillance in America. Berkeley, CA: University of California Press.

Mosco, Vincent. 2014. To the Cloud: Big Data in a Turbulent World. Boulder, CO and London: Paradigm Publishers.

Polanyi, Karl. 2001. The Great Transformation: The Political and Economic Origins of Our Time, 2nd ed. Foreword by Joseph E. Stiglitz. Boston: Beacon Press.

Polanyi, Karl. 1944. The Great Transformation. New York: Farrar and Rinehart.

Raab, Charles. 2014. Privacy as a Security Value. In Jon Bing: En Hyllest / A Tribute, eds Dag Wiese Schartum, Lee Bygrave and Anne Gunn Berge Bekken, 39-58. Oslo: Gyldendal.

Raab, Charles. 2013. Studying surveillance: the contribution of political science? Political Insight. October 29. Available at:

Raab, Charles and Benjamin Goold. 2011. Protecting Information Privacy. Equality and Human Rights Commission Research Report 69. Available at:

Regan, Priscilla. 2009 (1995). Legislating Privacy: Technology, Social Values and Public Policy. Durham, NC: University of North Carolina Press.

Rule, James. 1974. Private Lives, Public Surveillance: Social Control in the Computer Age. New York: Schocken Books.

Schiller, Dan. 1988. How to Think about Information. In The Political Economy of Information, eds V. Mosco and J. Wasko, 2744. Madison: University of Wisconsin Press.

Steeves, Valerie. 2009. Reclaiming the social value of privacy. In Lessons from the Identity Trail: Anonymity, Privacy and Identity in a Networked Age, eds Ian Kerr, Carol Lucock and Valerie Steeves. New York: Oxford University Press.

Taylor, Emmeline. 2013. Surveillance Schools: Security, Discipline and Control in Contemporary Education. London: Macmillan.

Timberg, Craig and Ellen Nakashima. 2013. Agreements with private companies protect access to cables’ data for surveillance. The Washington Post, July 6. Available at:

Trottier, Daniel. 2012. Social Media as Surveillance. London: Ashgate.

Turow, Joseph. 2012. The Daily You: How the New Advertising Industry is Defining your Identity and your Worth. New Haven, CT: Yale University Press.

Webster, Frank, and Kevin Robins. 1986. Information Technology: A Luddite Analysis. NJ: Ablex.

Weston, Paul, Glenn Greenwald and Ryan Gallagher 2013. New Snowden docs show US spied during G20 in Toronto. CBC News, Nov 27. Available at:

Zedner, Lucia. 2009. Security. New York and London: Routledge.

Zittrain, Jonathan. 2009. The Future of the Internet. New Haven, CT: Yale University Press. 

Zuboff, Shoshana. 1988. In the Age of the Smart Machine: The Future of Work and Power. New York: Basic Books.

  2.  In May 2015 the US Court of Appeals ruled that the collection of bulk phone metadata by the NSA never was legal.
  3. Weber and Arendt have much to say about what is now known as surveillance, in relation to maintaining bureaucratic records on individuals (Weber) or how power is generated in “spaces of appearance” (Arendt). See e.g. Dandeker 1990; Marquez 2012.
  4. It is symptomatic of today’s celebrity culture, of course, that surveillance of high-profile public figures garners much more mass media interest than the mass surveillance of ordinary—in this case German—citizens. At the same time, it is not only the NSA that spies on others’ leaders: Germany has also kept tabs on prominent Americans such as John Kerry and Hillary Clinton.  See
  8.  Coalitions against mass surveillance have engaged in several concerted global events since Snowden’s disclosures began. See e.g.  The "tansparency" question, however, is in tension with the legitimate but limited need for secrecy within intelligence agencies. Research could fruitfully be brought to bear on this vexed question.
  9. Centre for Democracy and Technology, September 2014: ‘Yahoo v. U.S. PRISM documents,’ available at
  10. See  e.g. , or
  11. The phrase “…finding a balance between privacy and security” is routinely intoned by governments and media alike but it is at best vacuous and at worst a cloak for undermining the one to bolster the other.
  12. See e.g. the call from political scientist Charles D. Raab (2013).

Deibert, Ronald - Authoritarianism Goes Global: Cyberspace Under siege - 201507

Deibert, Ronald, "Authoritarianism Goes Global: Cyberspace Under siege," Journal of Democracy, Volume 26, Number 3, July 2015, pp. 64-78.

December 2014 marked the fourth anniversary of the Arab Spring. Beginning in December 2010, Arab peoples seized the attention of the world by taking to the Internet and the streets to press for change. They toppled regimes once thought immovable, including that of Egyptian dictator Hosni Mubarak. Four years later, not only is Cairo’s Tahrir Square empty of protesters, but the Egyptian army is back in charge. Invoking the familiar mantras of anti-terrorism and cyber-security, Egypt’s new president, General Abdel Fattah al-Sisi, has imposed a suite of in- formation controls. 1 Bloggers have been arrested and websites blocked; suspicions of mass surveillance cluster around an ominous-sounding new “High Council of Cyber Crime.” The very technologies that many heralded as “tools of liberation” four years ago are now being used to stifle dissent and squeeze civil society. The aftermath of the Arab Spring is looking more like a cold winter, and a potent example of resurgent authoritarianism in cyberspace.

Authoritarianism means state constraints on legitimate democratic political participation, rule by emotion and fear, repression of civil society, and the concentration of executive power in the hands of an unaccountable elite. At its most extreme, it encompasses totalitarian states such as North Korea, but it also includes a large number of weak states and “competitive authoritarian” regimes. 2 Once assumed to be incompatible with today’s fast-paced media environment, authoritarian systems of rule are showing not only resilience, but a capacity for resurgence. Far from being made obsolete by the Internet, authoritarian regimes are now actively shaping cyberspace to their own strategic advantage. This shaping includes technological, legal, extralegal, and other targeted information controls. It also includes regional and bilateral cooperation, the promotion of international norms friendly to authoritarianism, and the sharing of “best” practices and technologies.

The development of several generations of information controls has resulted in a tightening grip on cyberspace within sovereign territorial boundaries. A major impetus behind these controls is the growing imperative to implement cyber-security and anti-terror measures, which often have the effect of strengthening the state at the expense of human rights and civil society. In the short term, the disclosures by Edward Snowden concerning surveillance carried out by the U.S. National Security Agency (NSA) and its allies must also be cited as a factor that has contributed, even if unintentionally, to the authoritarian resurgence.

Liberal democrats have wrung their hands a good deal lately as they have watched authoritarian regimes use international organizations to promote norms that favor domestic information controls. Yet events in regional, bilateral, and other contexts where authoritarians learn from and cooperate with one another have mattered even more. Moreover, with regard to surveillance, censorship, and targeted digital espionage, commercial developments and their spin-offs have been key. Any thinking about how best to counter resurgent authoritarianism in cyberspace must reckon with this reality.

Mention authoritarian controls over cyberspace, and people often think of major Internet disruptions such as Egypt’s shutdown in late January and early February 2011, or China’s so-called Great Firewall. These are noteworthy, to be sure, but they do not capture the full gamut of cyberspace controls. Over time, authoritarians have developed an arsenal that extends from technical measures, laws, policies, and regulations, to more covert and offensive techniques such as targeted malware attacks and campaigns to co-opt social media. Subtler and thus more likely to be effective than blunt-force tactics such as shutdowns, these measures reveal a considerable degree of learning. Cyberspace authoritarianism, in other words, has evolved over at least three generations of information controls. 3

First-generation controls tend to be “defensive,” and involve erecting national cyber-borders that limit citizens’ access to information from abroad. The archetypal example is the Great Firewall of China, a system for filtering keywords and URLs to control what computer users within the country can see on the Internet. Although few countries have matched the Great Firewall (Iran,  Pakistan, Saudi Arabia, Bahrain, Yemen, and Vietnam have come the closest), first-generation controls are common. Indeed, Internet filtering of one sort or another is now normal even in democracies.

Where countries vary is in terms of the content targeted for blocking and the transparency of filtering practices. Some countries, including Canada, the United Kingdom, and the United States, block content related to the sexual exploitation of children as well as content that infringes copyrights. Other countries focus primarily on guarding reli- gious sensitivities. Since September 2012, Pakistan has been blocking all of  YouTube over a video, titled “Innocence of Muslims,” that Pakistani authorities deem blasphemous. 4  A growing number of countries are blocking access to political and security-related content, especially content posted by opposition and human-rights groups, insurgents, “extremists,” or “terrorists.” Those last two terms are in quotation marks because in some places, such as the Gulf states, they are defined so broadly that content is blocked which in most other countries would fall within the bounds of legitimate expression.

In 2012, Renu Srinavasan of Mumbai found herself arrested merely for hitting the “like” button below a friend’s Facebook post.

National-level Internet filtering is notoriously crude. Errors and inconsistencies are common. One Citizen Lab study found that Blue Coat (a U.S. software widely used to automate national filtering systems) mistakenly blocked hundreds of non-pornographic websites. 5 Another Citizen Lab study found that Oman residents were blocked from a Bollywood-related website not because it was banned in Oman, but because of upstream filtering in India, the pass-through country for a portion of Oman’s Internet traffic. 6  In Indonesia, Internet-censorship rules are applied at the level of Internet Service Providers (ISPs). The country has more than three-hundred of these; what you can see online has much to do with which one you use. 7

As censorship extends into social media and applications, inconsistencies bloom, as is famously the case in China. In some countries, a user cannot see the filtering, which displays as a “network error.” Although relatively easy to bypass and document, 8 first-generation controls have won enough acceptance to have opened the door to more expansive measures.

Second-generation controls are best thought of as deepening and ex- tending information controls into society through laws, regulations, or requirements that force the private sector to do the state’s bidding by policing privately owned and operated networks according to the state’s demands. Second-generation controls can now be found in every region of the world, and their number is growing. Turkey is passing new laws, on the pretext of protecting national security and fighting cyber-crime, that will expand wiretapping and other surveillance and detention powers while allowing the state to censor websites without a court order. Ethiopia charged six bloggers from the Zone 9 group and three independent journalists with terrorism and treason after they covered political issues. Thailand is considering new cyber-crime laws that would grant authorities the right to access emails, telephone records, computers, and postal mail without needing prior court approval. Under reimposed martial law, Egypt has tightened regulations on demonstrations and arrested prominent bloggers, including Arab Spring icon Alaa Abd El Fattah. Saudi blogger Raif Badawi is looking at ten years in jail and 950 remaining lashes (he received the first fifty lashes in January 2015) for criticizing Saudi clerics online. Tunisia passed broad reforms after the Arab Spring, but even there a blogger has been arrested under an obscure older law for “defaming the military” and “insulting military commanders” on Facebook. Between 2008 and March 2015 (when the Supreme Court struck it down), India had a law that banned “menacing” or “offensive” social-media posts. In 2012, Renu Srinavasan of Mumbai found herself arrested merely for hitting the “like” button below a friend’s Facebook post. In Singapore, blogger and LGBT activist Alex Au was fined in March 2015 for criticizing how a pair of court cases was handled.

Second-generation controls also include various forms of “baked-in” surveillance, censorship, and “backdoor” functionalities that governments, wielding their licensing authority, require manufacturers and service providers to build into their products. Under new anti-terrorism laws, Beijing recently announced that it would require companies offering services in China to turn over encryption keys for state inspection and build into all systems backdoors open to police and security agencies. Existing regulations already require social-media companies to survey and censor their own networks. Citizen Lab has documented that many chat applications popular in China come pre-configured with censorship and surveillance capabilities. 9  For many years, the Russian government has required telecommunications companies and ISPs to be “SORM-compliant” — SORM is the Russian acronym for the surveillance system that directs copies of all electronic communications to local security offices for archiving and inspection. In like fashion, India’s Central Monitoring System gives the government direct access to the country’s telecommunications networks. Agents can listen in on broadband phone calls, SMS messages, and email traffic, while all call-data records are archived and analyzed. In Indonesia, where BlackBerry smartphones remain popular, the government has repeatedly pressured Canada-based BlackBerry Limited to comply with “lawful-access” demands, even threatening to ban the company’s services unless BlackBerry agreed to host data on servers in the country. Similar demands have come from India, Saudi Arabia, and the United Arab Emirates. The company has even agreed to bring Indian technicians to Canada for special surveillance training. 10

Also spreading are new laws that ban security and anonymizing tools, including software that permits users to bypass first-generation blocks. Iran has arrested those who distribute circumvention tools, and it has throttled Internet traffic to frustrate users trying to connect to popular circumvention and anonymizer tools such as Psiphon and Tor. Belarus and Russia have both recently proposed making Tor and similar tools illegal. China has banned virtual private networks (VPNs) nationwide — the latest in a long line of such bans—despite the difficulties that this causes for business. Pakistan has banned encryption since 2011, although its widespread use in financial and other communications inside the country suggests that enforcement is lax. The United Arab Emirates has banned VPNs, and police there have stressed that individuals caught using them may be charged with violating the country’s harsh cyber-crime laws.

Second-generation controls include finer-grained registration and identification requirements that tie people to specific accounts or devices, or even require citizens to obtain government permission before using the Internet. Pakistan has outlawed the sale of prepaid SIM cards and demands that all citizens register their SIM cards using bio-metric identification technology. The Thai military junta has extended such registration rules to cover free WiFi accounts as well. China has imposed real-name registration policies on Internet and social-media accounts, and companies have dutifully deleted tens of thousands of accounts that could not be authenticated. Chinese users must also commit to respect the seven “baselines,” including “laws and regulations, the Socialist system, the national interest, citizens’ lawful rights and interests public order, morals, and the veracity of information.”11

By expanding the reach of laws and broad regulations, second-generation controls narrow the space left free for civil society, and subject the once “wild frontier” of the Internet to growing regulation. While enforcement may be uneven, in country after country these laws hang like dark clouds over civil society, creating a climate of uncertainty and fear.

Authoritarians on the Offensive

Third-generation controls are the hardest to document, but may be the most effective. They involve surveillance, targeted espionage, and other types of covert disruptions in cyberspace. While first-generation controls are defensive and second-generation controls probe deeper into society, third-generation controls are offensive. The best known of these are the targeted cyber-espionage campaigns that emanate from China. Although Chinese spying on businesses and governments draws most of the news reports, Beijing uses the same tactics to target human-rights, pro-democracy, and independence movements outside China. A recent four-year comparative study by Citizen Lab and ten participating NGOs found that those groups suffered the same persistent China-based digital attacks as governments and Fortune 500 companies. 12 The study also found that targeted espionage campaigns can have severe consequences including disruptions of civil society and threats to liberty. At the very least, persistent cyber-espionage attacks breed self-censorship and undermine the networking advantages that civil society might otherwise reap from digital media. Another Citizen Lab report found that China has employed a new attack tool, called “The Great Cannon,” which can redirect the website requests of unwitting foreign users into denial-of-service attacks or replace web requests with malicious software. 13

While other states may not be able to match China’s cyber-espionage or online-attack capabilities, they do have options. Some might buy off-the-shelf espionage “solutions” from Western companies such as the United Kingdom’s Gamma Group or Italy’s Hacking Team — each of which Citizen Lab research has linked to dozens of authoritarian-government clients. 14 In Syria, which is currently the site of a multi-sided, no-holds-barred regional war, security services and extremist groups such as ISIS are borrowing cyber-criminals’ targeted-attack techniques, downloading crude but effective trade-craft from open sources and then using it to infiltrate opposition groups, often with deadly results. 15 The capacity to mount targeted digital attacks is proving particularly attractive to regimes that face persistent insurgencies, popular protests, or other standing security challenges. As these techniques become more widely used and known, they create a chilling effect: Even without particular evidence, activists may avoid digital communication for fear that they are being monitored.

Third-generation controls also include efforts to aim crowd-sourced antagonism at political foes. Governments recruit “electronic armies” that can use the very social media employed by popular opposition movements to discredit and intimidate those who dare to criticize the state. 16 Such on-line swarms are meant to make orchestrated denunciations of opponents look like spontaneous popular expressions. If the activities of its electronic armies come under legal question or result in excesses, a regime can hide behind “plausible deniability.” Examples of pro-government e-warriors include Venezuela’s Chavista “communicational guerrillas,” the Egyptian Cyber Army, the pro-Assad Syrian Electronic Army, the pro-Putin bloggers of Russia, Kenya’s “director of digital media” Dennis Itumbi plus his bloggers, Saudi Arabia’s anti-pornography “ethical hackers,” and China’s notorious “fifty-centers,” so called because they are allegedly paid that much for each pro-government comment or status update they post.

Other guises under which third-generation controls may travel include not only targeted attacks on Internet users but wholesale disruptions of cyber-space. Typically scheduled to cluster before and during major political events such as elections, anniversaries, and public demonstrations, “just-in-time” disruptions can be as severe as total Internet blackouts. More common, however, are selective disruptions. In Tajikistan, SMS services went down for several days leading up to planned opposition rallies in October 2014. The government blamed technical errors; others saw the hand of the state at work. 17 Pakistan blocked all mobile services in its capital, Islamabad, for part of the day on 23 March 2015 in order to shield national-day parades from improvised explosive devices. 18 During the 2014 pro-democracy demonstrations in Hong Kong, China closed access to the photo-sharing site Instagram. Telecommunications companies in the Democratic Republic of Congo were ordered to shut down all mobile and SMS communications in response to anti-government protests. Ban- gladesh ordered a ban on the popular smartphone messaging application Viber in January 2015, after it was linked to demonstrations.

To these three generations, we might add a fourth. This comes in the form of a more assertive authoritarianism at the international level. For years, governments that favor greater sovereign control over cyber-space have sought to assert their preferences—despite at times stiff resistance—in forums such as the International Telecommunication Union (ITU), the Internet Governance Forum (IGF), the United Nations (UN), and the Internet Corporation for Assigned Names and Numbers (ICANN). 19 Although there is no simple division of “camps,” observers tend to group countries broadly into those that prefer a more open Internet and a limited role for states and those that prefer a state-led form of governance, probably under UN auspices.

The United States, the United Kingdom, Europe, and the Asian democracies line up most often behind openness, while China, Iran, Russia, Saudi Arabia, and various other non-democracies fall into the latter group. A large number of emerging-market countries, led by Brazil, India, and Indonesia, are “swing states” that can go either way. Battle lines between these opposing views were becoming sharper around the time of the December 2012 World Congress on Information Technology (WCIT) in Dubai—an event that many worried would mark the fall of Internet governance into UN (and thus state) hands. But the WCIT process stalled, and lobbying by the United States and its allies (plus Internet companies such as Google) played a role in preventing fears of a state-dominated Internet from coming true.

If recent proposals on international cyber-security submitted to the UN by China, Russia, and their allies tell us anything, future rounds of the cyber-governance forums may be less straightforward than what transpired at Dubai. In January 2015, the Beijing- and Moscow-led Shanghai Cooperation Organization (SCO) submitted a draft “International Code of Conduct for Information Security” to the UN. This document reaffirms many of the same principles as the ill-fated WCIT Treaty, including greater state control over cyber-space.

Such proposals will surely raise the ire of those in the “Internet freedom” camp, who will then marshal their resources to lobby against their adoption. But will wins for Internet freedom in high-level international venues (assuming that such wins are in the cards) do anything to stop local and regional trends toward greater government control of the online world? Writing their preferred language into international statements may please Internet- freedom advocates, but what if such language merely serves to gloss over a ground-level reality of more rather than less state cyber-authority?

It is important to understand the driving forces behind resurgent authoritarianism in cyberspace if we are to comprehend fully the challenges ahead, the broader prospects facing human rights and democracy promotion worldwide, and the reasons to suspect that the authoritarian resurgence in cyberspace will continue.

A major driver of this resurgence has been and likely will continue to be the growing impetus worldwide to adopt cyber-security and anti-terror policies. As societies come to depend ever more heavily on networked digital information, keeping it secure has become an ever-higher state priority. Data breaches and cyber-espionage attacks — including massive thefts of intellectual property — are growing in number. While the cyber- security realm is replete with self-serving rhetoric and threat inflation, the sum total of concerns means that dealing with cyber-crime has now become an unavoidable state imperative. For example, the U.S. intelligence community’s official 2015 “Worldwide Threat Assessment” put cyber-attacks first on the list of dangers to U.S. national security. 20

It is crucial to note how laws and policies in the area of cyber-security are combining and interacting with those in the anti-terror realm. Violent extremists have been active online at least since the early days of al-Qaeda several decades ago. More recently, the rise of the Islamic State and its gruesome use of social media for publicity and recruitment have spurred a new sense of urgency. The Islamic State atrocities recorded in viral beheading videos are joined by (to list a few) terror attacks such as the Mumbai assault in India (November 2008); the Boston Marathon bombings (April 2013); the Westgate Mall shootings in Kenya (September 2013); the Ottawa Parliament shooting (October 2014); the Charlie Hebdo and related attacks in Paris (January 2015); repeated deadly assaults on Shia mosques in Pakistan (most recently in February 2015); and the depredations of Nigeria’s Boko Haram.

Horrors such as these underline the value of being able to identify, in timely fashion amid the wilderness of cyberspace, those bent on violence before they strike. The interest of public-safety officials in data-mining and other high-tech surveillance and analytical techniques is natural and understandable. But as expansive laws are rapidly passed and state-security services (alongside the private companies that work for and with them) garner vast new powers and resources, checks and balances that protect civil liberties and guard against the abuse of power can be easily forgotten. The adoption by liberal democracies of sweeping cyber-crime and anti-terror measures without checks and balances cannot help but lend legitimacy and normative support to similar steps taken by authoritarian states. The headlong rush to guard against extremism and terrorism worldwide, in other words, could end up providing the biggest boost to resurgent authoritarianism.

Regional Security Cooperation as a Factor

While international cyberspace conferences attract attention, often overlooked are regional security forums. The latter are the places where cyber-security coordination happens. They are focused sites of learning and norm promotion where ideas, technologies, and “best” practices are exchanged. Even countries that are otherwise rivals can and do agree and cooperate within the context of such security forums.

The SCO, to name one prominent regional group, boasts a well-developed normative framework that calls upon its member states to combat the “three evils” of terrorism, separatism, and extremism. The upshot has been information controls designed to bolster regime stability against opposition groups and the claims of restive ethnic minorities. The SCO recently held joint military exercises in order to teach its forces how to counter Internet-enabled opposition of the sort that else- where has led to “color revolutions.” The Chinese official who directs the SCO’s “Regional Anti-Terrorist Structure” (RATS) told the UN Counter-Terrorism Committee that RATS had “collected and distributed to its Member States intelligence information regarding the use of the Internet by terrorist groups active in the region to promote their ideas.” 21

Such information may include intelligence on individuals involved in what international human-rights law considers legitimate political expression. Another Eurasian regional security organization in which Russia plays a leading role, the Collective Security Treaty Organization (CSTO), has announced that it will be creating an “international center to combat cyber threats.”22 Both the SCO and the CSTO are venues where commercial platforms for both mass and targeted surveillance are sold, shared, and exchanged. The telecommunications systems and ISPs in each of the five Central Asian republics are all “SORM-compliant” — ready to copy all data routinely to security services, just as in Russia. The SCO and CSTO typically carry out most of their deliberations behind closed doors and release no disclosures in English, meaning that much of what they do escapes the attention of Western observers and civil society groups.

The regional cyber-security coordination undertaken by the Gulf Co- operation Council (GCC) offers another example. In 2014, the GCC approved a long-awaited plan to form a joint police force, with head- quarters in Abu Dhabi. While the fights against drug dealing and money laundering are to be among the tasks of this Gulf Interpol, the new force will also have the mission of battling cyber-crime. In the Gulf monarchies, however, online offenses are defined broadly and include posting items that can be taken as critical of royal persons, ruling families, or the Muslim religion. These kingdoms and emirates have long records of suppressing dissent and even arresting one another’s political opponents. Whatever its other law-enforcement functions, the GCC version of Interpol is all too likely to become a regional tool for suppressing protest and rooting out expressions of discontent.

“Flying under the radar,” with little flash, few reporters taking notice, and lots of closed meetings carried on in local languages by like-minded officials from neighboring authoritarian states, organizations concerned with regional governance and security attract far less attention than UN conferences that seem poised to unleash dramatic Web takeovers which may never materialize. Yet it is in these obscure regional corners that the key norms of cyberspace controls may be taking shape and taking hold.

The Cyber-security Market as a Factor

A third driving factor has to do with the rapid growth of digital connectivity in the global South and among the populations of authoritarian regimes, weak states, and flawed democracies. In Indonesia the number of Internet users increases each month by a stunning 800,000. In 2000, Nigeria had fewer than a quarter-million Internet users; today, it has 68 million. The Internet-penetration rate in Cambodia rose a staggering 414 percent from January 2014 to January 2015 alone. By the end of 2014, the number of mobile-connected devices exceeded the number of people on Earth. Cisco Systems estimates that by 2019, there will be nearly 1.5 mobile devices per living human. The same report predicts that the steepest rates of growth in mobile-data traffic will be found in the Middle East and Africa. 23

Booming digital technology is good for economic growth, but it also creates security and governance pressure points that authoritarian regimes can squeeze. We have seen how social media and the like can mobilize masses of people instantly on behalf of various causes (pro-democratic ones included). Yet many of the very same technologies can also be used as tools of control. Mobile devices, with their portability, low-cost, and light physical-infrastructure requirements, are how citizens in the developing world connect. These handheld marvels allow people to do a wealth of things that they could hardly have dreamt of doing before. Yet all mobile devices and their dozens of installed applications emit reams of highly detailed information about peoples’ movements, social relationships, habits, and even thoughts — data that sophisticated agencies can use in any number of ways to spy, to track, to manipulate, to deceive, to extort, to influence, and to target.

The market for digital spyware described earlier needs to be seen not only as a source of material and technology for countries who demand them, but as an active shaper of those countries’ preferences, practices, and policies. This is not to say that companies are persuading policy makers regarding what governments should do. Rather, companies and the services that they offer can open up possibilities for solutions, be they deep-packet inspection, content filtering, cellphone tracking, “big-data” analytics, or targeted spyware. SkyLock, a cellphone-tracking solution sold by Verint Systems of Melville, New York, purports to offer governments “a cost-effective, new approach to obtaining global location information concerning known targets.” Company brochures obtained by the Washington Post include “screen shots of maps depicting location tracking in what appears to be Mexico, Nigeria, South Africa, Brazil, Congo, the United Arab Emirates, Zimbabwe, and several other countries.” 24

Large industry trade fairs where these systems are sold are also crucial sites for learning and information exchange. The best known of these, the Intelligence Support Systems (ISS) events, are run by TeleStrategies, Incorporated, of McLean, Virginia. Dubbed the “Wiretappers’ Ball” by critics, ISS events are exclusive conventions with registration fees high enough to exclude most attendees other than governments and their agencies. As one recent study noted, ISS serves to connect registrants with surveillance-technology vendors, and provides training in the latest industry practices and equipment. 25  The March 2014 ISS event in Dubai featured one session on “Mobile Location, Surveillance and Signal Intercept Product Training” and another that promised to teach attendees how to achieve “unrivaled at-tack capabilities and total resistance to detection, quarantine and removal by any endpoint security technology.” 26 Major corporate vendors of lawful-access, targeted-surveillance, and data-analytic solutions are fixtures at ISS meetings and use them to gather clients.

As cyber-security demands grow, so will this market. Authoritarian policy makers looking to channel industrial development and employment opportunities into paths that reinforce state control can be expected to support local innovation. Already, schools of engineering, computer science, and data-processing are widely seen in the developing world as viable paths to employment and economic sustainability, and within those fields cyber-security is now a major driving force. In Malaysia, for example, the British defense contractor BAE Systems agreed to under- write a degree-granting academic program in cyber-security in partial fulfillment of its “defense offsets” obligation. 27  India’s new “National Cyber Security Policy” lays out an ambitious strategy for training a new generation of experts in, among other things, the fine points of “ethical hacking.” The goal is to give India an electronic army of high-tech specialists a half-million strong. In a world where “Big Brother” and “Big Data” share so many of the same needs, the political economy of cyber-security must be singled out as a major driver of resurgent authoritarianism in cyberspace.

Edward Snowden as a Factor

Since June 2013, barely a month has gone by without new revelations concerning U.S. and allied spying—revelations that flow from the disclosures made by former NSA contractor Edward Snowden. The disclosures fill in the picture of a remarkable effort to marshal extraordinary capacities for information control across the entire spectrum of cyber- space. The Snowden revelations will continue to fuel an important public debate about the proper balance to be struck between liberty and security.

While the value of Snowden’s disclosures in helping to start a long- needed discussion is undeniable, the revelations have also had unintended consequences for resurgent authoritarianism and cyberspace. First, they have served to deflect attention away from authoritarian-regime cyber-espionage campaigns such as China’s. Before Snowden fled to Hong Kong, U.S. diplomacy was taking an aggressive stand against cyber-espionage. Individuals in the pay of the Chinese military and allegedly linked to Chinese cyber-espionage were finding themselves under indictment. Since Snowden, the pressure on China has eased. Beijing, Moscow, and others have found it easy to complain loudly about a double standard supposedly favoring the United States while they rationalize their own actions as “normal” great-power behavior and congratulate themselves for correcting the imbalance that they say has beset cyberspace for too long.

Second, the disclosures have created an atmosphere of suspicion around Western governments’ intentions and raised questions about the legitimacy of the “Internet Freedom” agenda backed by the United States and its allies. Since the Snowden disclosures—revealing top-secret exploitation and disruption programs that in some respects are indistinguishable from those that Washington and its allies have routinely condemned — the rhetoric of the Internet Freedom coalition has rung rather hollow. In February 2015, it even came out that British, Canadian, and U.S. signals-intelligence agencies had been “piggybacking” on China-based cyber-espionage campaigns—stealing data from Chinese hackers who had not properly secured their own command-and-control networks. 28

Third, the disclosures have opened up foreign investment opportunities for IT companies that used to run afoul of national-security concerns. Before Snowden, rumors of hidden “backdoors” in Chinese-made technology such as Huawei routers put a damper on that company’s sales. Then it came out that the United States and allied governments had been compelling (legally or otherwise) U.S.-based tech companies to do precisely what many had feared China was doing—namely, in-stalling secret backdoors. So now Western companies have a “Huawei” problem of their own, and Huawei no longer looks so bad.

In the longer term, the Snowden disclosures may have the salutary effect of educating a large number of citizens about mass surveillance. In the nearer term, however, the revelations have handed countries other than the United States and its allies an opportunity for the self-interested promotion of local IT wares under the convenient rhetorical guise of striking a blow for “technological sovereignty” and bypassing U.S. in- formation controls.

There was a time when authoritarian regimes seemed like slow-footed, technologically challenged dinosaurs whom the Information Age was sure to put on a path toward ultimate extinction. That time is no more—these regimes have proven themselves surprisingly (and dismayingly) light-footed and adaptable. National-level information controls are now deeply entrenched and growing. Authoritarian regimes are becoming more active and assertive, sharing norms, technologies, and “best” practices with one another as they look to shape cyberspace in ways that legitimize their national interests and domestic goals.

Sadly, prospects for halting these trends anytime soon look bleak. As resurgent authoritarianism in cyberspace increases, civil society will struggle: A web of ever more fine-grained information controls tightens the grip of unaccountable elites. Given the comprehensive range of information controls outlined here, and their interlocking sources deep within societies, economies, and political systems, it is clear that an equally comprehensive approach to the problem is required. Those who seek to promote human rights and democracy through cyberspace will err gravely if they stick to high-profile “Internet Freedom” conferences or investments in “secure apps” and digital training. No amount of rhetoric or technological development alone will solve a problem whose roots run this deep and cut across the borders of so many regions and countries.

What we need is a patient, multi-pronged, and well-grounded approach across numerous spheres, with engagement in a variety of venues. Researchers, investigative journalists, and others must learn to pay more attention to developments in regional security settings and obscure trade fairs. The long-term goal should be to open these venues to greater civil society participation and public accountability so that considerations of human rights and privacy are at least raised, even if not immediately respected.

The private sector now gathers and retains staggering mountains of data about countless millions of people. It is no longer enough for states to conduct themselves according to the principles of transparency, accountability, and oversight that democracy prizes; the companies that own and operate cyberspace — and that often come under tremendous pressure from states — must do so as well. Export controls and “smart sanctions” that target rights-offending technologies without infringing on academic freedom can play a role. A highly distributed, independent, and powerful system of cyberspace verification should be built on a global scale that monitors for rights violations, dual-use technologies, targeted malware attacks, and privacy breaches. A model for such a system might be found in traditional arms-control verification regimes such as the one administered by the Organization for the Prohibition of Chemical Weapons. Or it might come from the research of academic groups such as Citizen Lab, or the setup of national computer emergency-response teams (CERTs) once these are freed from their current subordination to parochial national-security concerns. 29   However it is ultimately constituted, there needs to be a system for monitoring cyber- space rights and freedoms that is globally distributed and independent of governments and the private sector.

Finally, we need models of cyberspace security that can show us how to prevent disruptions or threats to life and property without sacrificing liberties and rights. Internet-freedom advocates must reckon with the realization that a free, open, and secure cyberspace will materialize only within a framework of democratic oversight, public accountability, transparent checks and balances, and the rule of law. For individuals living under authoritarianism’s heavy hand, achieving such lofty goals must sound like a distant dream. Yet for those who reside in affluent countries, especially ones where these principles have lost ground to anti-terror measures and mass-surveillance programs, fighting for them should loom as an urgent priority and a practically achievable first step on the road to remediation.

Time, 18 February 2015.

  1. Sam Kimball, “After the Arab Spring, Surveillance in Egypt Intensifies,” Intercept, 9 March 2015, egypt-intensifies.
  2. Steven Levitsky and Lucan A. Way, “The Rise of Competitive Authoritarianism,” Journal of Democracy 13 (April 2002):, 51–65.
  3. Ronald Deibert and Rafal Rohozinski, “Beyond Denial: Introducing Next Generation Information Access Controls,”  Note that the “generations” of controls are not assumed to be strictly chronological: Governments can skip generations, and several generations can exist together. Rather, they are a useful heuristic device for understanding the evolution of information.
  4. “YouTube to Remain Blocked ‘Indefinitely’ in Pakistan: Officials,” Dawn (Islamabad), 8 February 2015,
  5. Bennett Haselton, “Blue Coat Errors: Sites Miscategorized as ‘Pornography,’” Citizen Lab, 10 March 2014,
  6. “Routing Gone Wild: Documenting Upstream Filtering in Oman via India,” Citizen Lab, 12 July 2012,
  7. “IGF 2013: Islands of Control, Island of Resistance: Monitoring the 2013 Indone- sian IGF (Foreword),” Citizen Lab, 20 January 2014,
  8. Masashi Crete-Nishihata, Ronald J. Deibert, and Adam Senft, “Not by Technical Means Alone: The Multidisciplinary Challenge of Studying Information Controls,” IEEE Internet Computing 17 (May–June 2013): 34–41.
  9. See
  10. Amol Sharma, “RIM Facility Helps India in Surveillance Efforts,” Wall Street Journal, 28 October 2011.
  11. Rogier Creemers, “New Internet Rules Reflect China’s ‘Intent to Target Individuals Online,’” Deutsche Welle, 2 March 2015.
  12. Citizen Lab, “Communities @ Risk: Targeted Digital Threats Against Civil Society,” 11 November 2014,;
  13. Bill Marczak et , “China’s Great Cannon,” Citizen Lab, 10 April 2015,
  14. “For Their Eyes Only: The Commercialization of Digital Spying,” Citizen Lab, 30 April 2013,;
  15. “Malware Attack Targeting Syrian ISIS Critics,” Citizen Lab, 18 December 2014,
  16. Seva Gunitzky, “Corrupting the Cyber-Commons: Social Media as a Tool of Autocratic Stability,” Perspectives on Politics 13 (March 2015): 42–54.
  17. RFE/RL Tajik Service, “SMS Services Down in Tajikistan After Protest Calls,” Radio Free Europe/Radio Liberty, 10 October 2014,
  18. See “No Mobile Phone Services on March 23 in Islamabad,” Daily Capital (Islamabad), 22 March 2015,
  19. Ronald J. Deibert and Masashi Crete-Nishihata, “Global Governance and the Spread of Cyberspace Controls,” Global Governance 18 (2012): 339–61, http://citizenlab. org/cybernorms2012/governance.pdf.
  20. See James R. Clapper, “Statement for the Record Worldwide Threat Assessment of the US Intelligence Community,” Senate Armed Services Committee, 26 February 2015,
  21. See “Counter-Terrorism Committee Welcomes Close Cooperation with the Regional Anti-Terrorist Structure of the Shanghai Cooperation Organization,” 24 October 2014,
  22. See Joshua Kucera, “SCO, CSTO Increasing Efforts Against Internet Threats,” The Bug Pit, 16 June 2014,
  23. See Cisco, “Cisco Visual Networking Index: Global Mobile Data Traffic Forecast Update 2014–2019,” white paper, 3 February 2015,
  24. Craig Timberg, “For Sale: Systems That Can Secretly Track Where Cellphone Users Go Around the Globe,” Washington Post, 24 August 2014.
  25. Collin Anderson, “Monitoring the Lines: Sanctions and Human Rights Policy Considerations of TeleStrategies ISS World Seminars,” 31 July 2014,
  26. Anderson, “Monitoring the Lines: Sanctions and Human Rights Policy Considerations of TeleStrategies ISS World Seminars,” 31 July 2014,
  27. See Jon Grevatt, “BAE Systems Announces Funding of Malaysian Cyber Degree Programme,” IHS Jane’s 360, 5 March 2015,
  28. Colin Freeze, “Canadian Agencies Use Data Stolen by Foreign Hackers, Memo Reveals” Globe and Mail (Toronto), 6 February 2015.
  29. For one proposal along these lines, see Duncan Hollis and Tim Maurer, “A Red Cross for Cyberspace," Time, 18 February 2015.

Deibert, Ronald - Shutting the Backdoor: The Perils of National Security and Digital Surveillance Programs - 201310

Shutting the Backdoor: The Perils of National Security and Digital Surveillance Programs - Ronald Deibert - October 2013


As governments have sought to monitor digital communications for security purposes, the “backdoor” paradigm has become the predominant approach. Strictly speaking, backdoors refer to special methods of bypassing normal authentication procedures to secretly access computing systems. But here the concept is used in a broader sense to describe a range of policies and practices whereby governments compel, or otherwise get the cooperation of, private sector companies to provide access to data they control. The backdoor paradigm is not only a concern for political reasons, particularly for civil liberties, it is also bad for digital security and foreign policy. Law enforcement and intelligence agencies should instead seek to work within the information-rich world of Big Data that surrounds us with any access to private communications made exceptional and strictly controlled by lawful procedures and oversight mechanisms.

“If a surveillance capability were quietly added into the core of the Internet and an attempt was made to keep it a secret, in some respects this would be antithetical to the overarching philosophy upon which the Internet was built” Tom Cross, BlackHat 2010


The Internet and associated digital media have deeply penetrated all of society. We now live in the world of the “Internet of things,” by some estimates there are now 10 billion internet connected devices on the planet networked together via common protocol. This common space is not only a forum for communications, it is a major repository of data about each and every one of us, our daily habits, movements, social relationships, and even private thoughts. For government agencies whose mission is to enforce the law or gather intelligence, cyberspace has become an extraordinary asset and an object of security in its own right. As governments have ramped up digital surveillance programs, they have had to turn to the private sector, which controls not only the familiar services we all use (Google, Facebook, Microsoft), but the vast majority of the physical infrastructure of cyberspace as well—the cell phone base stations, undersea fibre optic cables, Internet Exchange Points, and routers.

One of the ways governments have approached the private sector has been to compel, legally or informally, the development of special modifications to private company’s technical systems to enable access to data, what I call the “back door” paradigm. Strictly speaking, backdoors refer to special methods of bypassing normal authentication procedures to secretly access computing systems. But I use the phrase in a broader sense, to refer to the paradigm of state-directed modification of and/or intrusions into communications infrastructure and services for security purposes. Examples of the backdoor paradigm include lawful intercept mechanisms coded directly into software, to “splitters” that surreptitiously fork copies of data streams to alternative destinations, to other, informal, means of data sharing that may go on between private sector and security services. The backdoor paradigm is not new, but the Edward Snowden/NSA revelations have cast a spotlight on them and underscored how deeply entrenched they have become in the post 9/11 era of Big Data surveillance. In what follows I lay out several concerns about the backdoor paradigm, foremost among them being the ways, in the name of security, backdoors actually contribute to greater insecurities down the road. Shutting the backdoor is, therefore, an urgent public policy matter for all liberal democratic countries. Rather than sacrifice cyberspace at the altar of security, law enforcement and intelligence agencies should be encouraged to develop alternative modes of data collection strictly within the framework of the rule of law.

History of Backdoors

Built-in backdoors on communications equipment for law enforcement and intelligence agencies are not new. It is often said that espionage is the second oldest profession, and as long as governments have been engaged in espionage they have looked to assert control through the means of communication. In the early 20th century, for example, telegraphic messages processed by Western Union and other companies, including those of foreign diplomatic communications, were copied and secretly given to US authorities, much the same as Verizon has reportedly done so today. Codenamed “Shamrock,” the program required the companies to, on a daily basis, hand over to the NSA copies of all of the cables sent to, from, or through the US.[1] During the Cold War, a variety of signals intelligence collection mechanisms, from specially equipped naval vessels to huge land-based antennas, intercepted stray radar and radio transmissions, even those that bounced off the surface of the moon.

The rise of the Internet and digital technology presented a new challenge to signals intelligence, but also a special opportunity. Digital media flowing through fibre optic cables do not unintentionally leak data into the atmosphere in the same way, making signals interception a more difficult task. At the same time, huge and exponentially growing volumes of digital data, processed and archived through the Internet’s physical points of control (e.g., switches, gateways, exchange points), presented irresistible targets for data mining and analysis, leading the government to seek access through cooperation with the companies that own and operate the infrastructure. Then, as now, the government sought to ensure access to data by deliberately weakening one type of security in the name of another. Occasionally, these efforts trickled into the public domain. During the 1990s, there was a cantankerous “cryptodebate” over US government proposals to control the export of strong encryption to foreign jurisdictions to weaken the security of adversaries and make them more open to US surveillance. Criticism at that time questioned the wisdom of such controls, arguing that restricting cryptography would end up hurting the US itself. As Bruce Schneier explains

[t]he government deliberately weakened U.S. cryptography products because it didn’t want foreign groups to have access to secure systems. Two things resulted: fewer Internet products with cryptography, to the insecurity of everybody, and a vibrant foreign security industry based on the unofficial slogan ‘Don’t buy the U.S. stuff—it’s lousy.’

The US Communications Assistance for Law Enforcement Act (CALEA), passed in 1994 and still in effect, requires telecommunications carriers to install technical capabilities for lawful surveillance into all equipment manufactured or sold in the US. Although the law applies to telecommunications carriers, US government officials have appealed to expand the law to cover VOIP and other broadband digital services. During the “Clipper Chip” debate of the 1990s, the US government attempted to mandate the production of special chips into telecommunications equipment that would allow the NSA to eavesdrop on voice traffic using a surrendered encryption key. While critics of the Clipper Chip managed to scuttle the proposal, the same basic backdoor philosophy has continued to drive government surveillance efforts up to and including the present time. 9/11 gave added impetus to these approaches, with a perceived “failure to connect the dots” driving ambitious plans and a thriving new market to gather as much information from as many discrete information sources as possible and then mine and analyze it.[2]

The Snowden Revelations and the Backdoor Paradigm

Edward Snowden’s detailed leaks have opened a chasm into the otherwise secretive world of intelligence practices, revealing widespread monitoring of both US and international communications by the US NSA and some of its allied agencies, like the UK’s GCHQ. Among other revelations, the leaked documents have provided details on elaborate programs involving the cooperation of some of the Internet’s largest companies, like Google, Microsoft, Facebook, and Yahoo! as well as major tier 1 telecommunications companies, like Verizon and Global Crossing. Although the exact details are in dispute, the program codenamed PRISM appears to have involved a hiving off of customer data onto special servers to give law enforcement and intelligence agencies direct access.[3] In the case of leaks involving Verizon, the company supplied the NSA with metadata on all domestic and international telephone call records.4 Metadata might best be described as everything but the content of the communications, meaning the endpoints of the transmission, the length and time of the call, and so on. Other leaks have shown how foreign owned telecommunication companies seeking to operate in the United States are approached by US legal officials, called “Team Telecom,” who may request similar data sharing arrangements, such as compliance with CALEA or archiving of data on US soil for national security investigations.[4]

In the case of leaks concerning Microsoft, the company reportedly helped solve encryption cracking issues surrounding email, cloud, and VOIP services, including providing access to videoconference streams over Skype without users’ knowledge.[5]

Other leaked documents have shed light on top secret programs, codenamed “Bullrun,” whose objectives are to weaken encryption standards worldwide, including by encouraging companies to insert deliberate vulnrabilities into their encryption algorithms known only to the NSA. Given Canada’s own signals intelligence agency, the Communications Security Establishment of Canada (CSEC) has a long-standing special relationship with the

NSA, it should come as no surprise that we would develop similar programs. According to recent Globe and Mail reports, “for nearly two decades, Ottawa officials have told telecommunications companies that one of the conditions of obtaining a licence to use wireless spectrum is to provide government with the capability to bug the devices that use the spectrum.”[6] Documents obtained by The Globe also reveal that as part of these requirements, Ottawa has demanded companies scramble encryption so that it can be accessed by Canada’s law enforcement agencies.

The leaks have touched off vigorous public policy and security debates in the US and abroad. Their scope and scale as highlighted in the leaked documents (which themselves are probably only a partial peek), call into question recent law enforcement lobbying efforts, claiming that the FBI was at risk of “going dark” because of new communication technologies.8 In light of Snowden’s revelations about wholesale surveillance programs, as well as the abundance of information in the public domain users willingly give out about themselves, their friends, interests, political preferences, etc, the assertions seem ludicrous. The controversy has also raised questions about the degree and effectiveness of oversight and public accountability for backdoor arrangements. While it is true that three branches of US government approved the programs associated with the Snowden leaks, the deliberations of the court that oversees them, the FISC, are themselves secret.[7] Moreover, it appears that many elected officials were either ignorant, or deliberately misled by government officials, about the true scope and scale of the programs in question.[8] The leaks have also raised questions about oversight of similar programs operating outside the United States, such as the UK’s GCHQ or Canada’s CSE, both of which have arguably far less independent scrutiny of their activities.[9] While European countries are subject to more stringent privacy protections, some of their signals intelligence programs have even less rigorous oversight than what appears to be the case in the UK and Canada, and certainly less than in the United States. Backdoors into massive and detailed databases of private information, as appears to have been constructed in the US and allied countries, calls for an urgent debate about proper checks and balances around national security in the world of Big Data.

Quite apart from these concerns about privacy and potential abuse of unchecked power is an additional concern around the security implications of backdoors. Building backdoors into devices and infrastructure may be useful to law enforcement and intelligence agencies, but it also provides a built-in vulnerability for those who would otherwise seek to exploit them and in doing so actually contributes to insecurity for the whole of society that depends on that infrastructure. In 2013, a team of twenty computer security researchers issued a report published by the US-based Center for Democracy and Technology, arguing that “mandating wiretap capabilities in endpoints poses serious security risks,” and that building “intercept functionality into … products is unwise and will be ineffective, with the result being serious consequences for the economic well-being and national security of the United States.”[10] As noted security expert Bruce Schneier points out with respect to the FBI’s claims, but in terms that could be generalized to other security services:

The FBI believes it can have it both ways: that it can open systems to its eavesdropping, but keep them secure from anyone else’s eavesdropping. That’s just not possible. It’s impossible to build a communications system that allows the FBI surreptitious access but doesn’t allow similar access by others. When it comes to security, we have two options: We can build our systems to be as secure as possible from eavesdropping, or we can deliberately weaken their security. We have to choose one or the other.[11]

MIT’s Susan Landau contributes an additional argument to these security concerns, which she labels the “time factor.”[12] The US law, the Communications Assistance for Law Enforcement Act (CALEA), mandated that telecommunications equipment be built with law enforcement access capabilities, and also applied retrospectively to older technologies. But it never factored in that the back doors could become vulnerable over time as attack capabilities progressed, and knowledge of the back doors spread. These types of concerns were amply demonstrated in a 2010 Black Hat presentation by IBM researcher Tom Cross of security vulnerabilities connected to lawful intercepts in Cisco routing products (which were based on standards set by the European Telecommunications Standards Institute)[13] in which he showed how the lawful intercept could be exploited to enter the systems and eavesdrop on communications without leaving a trace.[14]

There have been several real-life demonstrations of these types of vulnerabilities that should give us pause. Recent political scandals in Greece and Italy, in which prominent officials and business people had their phones secretly tapped with the information used for purposes of blackmail and slander, were enabled by poorly designed lawful access back doors on cell phone infrastructures.[15] A project to search the internet for access to critical infrastructure, called the Shodan search engine, has vividly demonstrated the number of easily accessible systems, some critical, that can be accessed from the wider Internet.[16] Some of the access points have emerged because of vulnerabilities in the code, but in other cases back doors have been built in and then forgotten about, or poorly maintained, by the engineers. In one case, the Canadian company, whose industrial grade software is used to control everything from power utilities to military plants and traffic control systems, had a back door that was hard coded with a single username (“factory”), and a password that was automatically generated depending on the MAC address of the device, which itself could easily be searched for using Shodan.[17] In 2008 Citizen Lab researchers discovered that the Chinese version of the popular VOIP product, Skype (called TOM-Skype) had been coded with a special surveillance system in place such that whenever certain keywords were typed into the chat client, data would be sent to a server in mainland China (presumably to share with China’s security services).[18] Upon further investigation, it was discovered that the server onto which the chat messages were stored was not password protected, allowing for the download of millions of personal chats, many of which included credit card numbers, business transactions, and other private information.[19]

By definition, back doors engineered for lawful interception are engineered vulnerabilities by a different name. In these and likely numerous other undiscovered cases, those vulnerabilities offer a direct point of access for exploitation. Building insecurities into the communications infrastructure that surrounds us may be a shortcut for law enforcement and intelligence, but is it one worth making relative to the vulnerabilities that are created for all of society?

Not only are back doors a concern for civil liberties and infrastructure security, they set a bad precedent for, and help legitimize, the very same practices abroad. The Tom-Skype example may look amateur in comparison to programs like the NSA’s PRISM, but it is a local variation on a common theme. No doubt one implication of Snowden’s revelations will be the spurring on of numerous national efforts to regain control of information infrastructures through national competitors to Google, Verizon, and other companies implicated, not to mention the development of national signals intelligence programs that attempt to duplicate the US model.[20] Already prior to the revelations, numerous companies faced complex and, at times, frustrating national “lawful access” requests from newly emerging markets. Many countries of the global South lack even basic safeguards and accountability mechanisms around the operations of security services, and their demands on the private sector could contribute to serious human rights violations and other forms of repression. For example, India, the United Arab Emirates, Saudi Arabia, and other countries have all demanded that Canada’s Blackberry put in place lawful interception and monitoring capabilities, compliance with which could begin to affect the nature of the Blackberry product itself. Although the company rarely discloses anything about these agreements, a spokesperson for the company admitted that it had developed a monitoring system for its consumer devices for the government of India and will even train technicians in interception back in Canada.23 (In India, the government requires all telecommunication companies to make available data to security agencies without a warrant or other basic safeguards). What was once a signature feature of the Blackberry product (uncrackable encryption), has been compromised in the name of opening up new markets.

Alternatives to BackDoors

If the backdoor paradigm is questionable on civil liberties, economics, security, and foreign policy grounds, what are the alternatives? As long as we live in a dangerous world with real threats, intelligence agencies are going to be an important element of liberal democratic government. Likewise, without agencies to enforce the law, the very basis for the exercise of human rights, including privacy, would quickly diminish.

Elsewhere, I have argued that civil society needs to develop a cyber security strategy, and part of that strategy must involve a response to the back door paradigm on security grounds. Rather than building in insecurities by design, a better strategy would emphasize the opposite: encouraging the widespread use of state of the art encryption systems, as well as adoption of standards such as “https by default” and “two factor authentication.” Another component of such a strategy would be to emphasize the security benefits of open source software, which provide greater assurances that companies have not built in special back door privileges by design, that customers get what they sign off on in their terms of service. In line with this approach would be regulations around deletion of stored data and proposals like the “right to be forgotten,” which, although typically seen in a rights-based framework, have security implications insofar as they restrict the copies of stored data that might be exploited for nefarious purposes.

As for legitimate lawful access requests, the group of experts involved in the CDT study argue that “law enforcement’s use of passive interception and targeted vulnerability exploitation tools creates fewer security risks for nontargets and critical infrastructure than do design mandates for wiretap interfaces.”24 In a world of “Big Data” in which so much of our information is routinely given away as part of our daily life, law enforcement and intelligence agencies need to find ways to work within this universe as it exists, rather than drill holes in it from the inside-out in ways that undermine confidence and create additional risks for all of society. Those lawful access provisions that are still required should be infrequent and strictly controlled with rigorous oversight and public accountability provisions. Direct tapping of entire services wholesale should be eliminated. Not only will this protect civil liberties and prevent the concentration of power in unchecked hands, it will ensure that we are not doing more to undermine our own security in an overzealous surveillance quest.


The communications environment we have created around us is complex and expanding, and the security issues surrounding it are serious and important. The backdoor paradigm is symptomatic of a larger trend that privileges intelligence and security agencies, builds borders around cyberspace, and undermines checks and balances around concentrations of power. The backdoor paradigm is not only bad for civil liberties, it is bad for security, and sets dangerous precedents for the legitimization of practices abroad we ostensibly oppose. Law enforcement and intelligence agencies are necessary and important to liberal democracy, but there is more than one way for them to go about their missions. In the world of Big Data, in which so much personal information is readily abundant, new methods of “connecting the dots” must be explored other than those that drill holes into our communications infrastructure. Government surveillance practices need radical re-thinking, beginning first and foremost with a reinforcement of basic checks and balances that have, for too long, been sidestepped in the name of security.

[1] See James Bamford, Body of Secrets: Anatomy of the Ultra-Secret National Security Agency, (New York: Random House, 2001 ), p. 133.

[2] A good historical resource for all of the above is Shane Harris, The Watchers: The Rise of America’s Surveillance State, (New York: Penguin, 2010).

[3]; also see “How Prism Works” 4

[4] and business/40406049_1_u-s-access-global-crossing-surveillance-requests.


[6] Colin Freeze and Rita Trichur, “Wireless firms agree to give Ottawa ability to monitor calls, phone data,” The Globe and Mail (September 16, 2013). 8 See the testimony of Robert S. Mueller, Director, FBI before the Committee on the Judiciary, US Senate, June 19, 2013 pdf/6-19-13MuellerTestimony.pdf and Hearing on: “Going Dark: Lawful Electronic Surveillance in the Face of New Technologies” hearings/hear_02172011.html.

[7] See Mark Rumold and David Sobel, “Government Says Secret Court Opinion on Law Underlying PRISM Program Needs to Stay Secret,” EFF (June 7, 2013)

[8] Greg Miller, “Misinformation on classified NSA programs includes statements by senior US officials,” Washington Post, June 30, 2013) http://www.

[9] and http://


[11] “The Problems with CALEA-II,” Schneier on Security, June 4, 2013,


[13] Tom Cross, “Exploiting Lawful Intercept to Wiretap the Internet,” BlackHat DC 2010, BlackHat-DC-2010-Cross-Attacking-LawfulI-Intercept-wp.pdf. Notably the presentation was based on the fact that Cisco is one of the few companies to openly publish its lawful intercept architecture for peer review.  Without that transparency, Cross’ analysis could not be done.

[14], p.23.

[15] See Vassilis Prevelakis and Diomidis Spinellis, “The Athens Affair,” IEE Spectrum (June 29, 2007), found here: the-athens-affair.



[18] Information Warfare Monitor and ONI Asia, “Breaching trust: An analysis of surveillance and security practices on China’s TOM-Skype platform,” 2008 and Jedidiah Crandall et al, “Chat program censorship and surveillance in China: Tracking TOM-Skype and Sina UC,” First Monday, June 2013,  http://firstmonday. org/ojs/index.php/fm/article/view/4628/3727.

[19] The China-based espionage attacks aimed at Google and other companies, and revealed in January 2010 as Operation Aurora, may have been directed towards accessing Google’s database of court-ordered surveillance targets, and possibly even the forked databases that enable access for the FBI to Google data, known as the “PRISM” program.  Not enough is known about the attacks or the PRISM program to say for certain. See

[20] See Ron Deibert, “Why NSA Spying Scares the World,” CNN Opinion, (June 12, 2013) 23 24 “Going Bright: Wiretapping without Weakening Communications Infrastructure,” p.63.

Lawson, Philippa - Moving Toward a Surveillance Society – Proposals to Expand  “Lawful Access” in Canada - 2012

Lawson, Philippa - Moving Toward a Surveillance Society – Proposals to Expand  “Lawful Access” in Canada - 2012

I. Executive Summary

The federal government has proposed new legislation that seeks to expand “Lawful Access” powers by law enforcement agencies (“LEA”s). Although justified as necessary “modernization” and just “keeping up with criminals”, the proposals are deeply problematic. They would take advantage of new technologies, new modes of communication and new social practices to significantly expand access by LEAs to the personal information of individuals. Indeed, while referred to as “Lawful Access” powers, the lawfulness of some of these powers under the Charter of Rights and Freedoms is questionable.

The proposed expanded LEA powers include:

  • Access to “subscriber data” upon request without either prior judicial authorization or reasonable grounds to suspect criminal behaviour;
  • New preservation orders, available on a low evidentiary standard;
  • New preservation demands with no requirement for prior judicial authorization;
  • New production orders for tracking and transmission data, available on a low evidentiary standard;
  • Lower evidentiary standard for, and expanded scope of, tracking warrants;
  • Expanded scope of warrants for telephone number recorders to encompass all forms of transmission data.

The increased legal power that these proposals would expressly grant to LEAs will be greatly enhanced by the real world context of vastly more and richer personal data now available as a result of new technologies. In a “double whammy” to individual privacy, the reforms would provide LEAs with powerful new tools by which to tap this growing source of investigational data already available for investigations and intelligence-gathering. Moreover, they would do so on the basis of lower evidentiary standards - or in the case of subscriber data, no evidentiary standards at all - thus further eroding the fragile framework of privacy protection that we have constructed to control state surveillance.

Enhancing the new LEA powers would be a requirement for telecommunications service providers (“TSP”s) to be fully intercept-capable – i.e., to configure their networks so as to facilitate authorized interceptions by law enforcement agents. In addition to removing existing technical obstacles to interception by a single agent, this new law would mandate TSPs to permit multiple simultaneous interceptions by LEAs from multiple jurisdictions. Thus, the context in which police exercise their new expanded powers would be even more amenable to state surveillance, with the corollary security risk of unauthorized access and cyber-security attacks via the new mandated “back door” for law enforcement access to private communications.

One might expect that the proposals to expand police powers would be accompanied by an oversight regime with strong measures to ensure public accountability, at least where the  normal requirement for prior judicial authorization is absent. Yet, there is no proposal for meaningful oversight of warrantless access powers and only a few weak measures (e.g., internal reporting and internal audits) designed to allow for some accountability. Unlike the regime governing covert interception of private communications by state authorities, there is no requirement to account publicly for the use of powers to gather data about subscribers and/or users of telecommunications services without warrant, even though data gathered in these ways can now reveal more about an individual than may be revealed by real-time interception of private communications.

Furthermore, all of the new demands, orders and warrants may be made subject to “gag orders” and, again unlike the regime governing covert interceptions by state authorities, individuals  who are subject to state surveillance via the new and expanded search powers have no right to  be notified of the fact. Subjects of state surveillance under these new powers are therefore unlikely ever to know of the activity unless they are eventually charged with an offence.  And if individuals are unaware of searches involving them, they will be unable to challenge  such searches.

Canada is not alone in proposing to expand state surveillance powers and capacity; indeed,  the Lawful Access proposals are motivated to some degree by international peer pressure and Canada’s desire to ratify the Council of Europe’s Convention on Cybercrime. But the experience of other jurisdictions that have enacted similar laws in recent years is not promising:  although the new laws have contributed to an explosion of state surveillance with the  inevitable accompanying misuse of powers, there is little evidence that they have actually improved state security.

Canada is in a privileged position having not yet adopted the approach of these other countries: rather than proceeding on the basis of rhetoric, we can learn from the experience elsewhere and carefully examine the evidence, weighing the costs and risks that expanded state surveillance will generate against its much less clear benefits in terms of increased security. Rather than inviting Charter challenges and public opposition, the government should re-examine these proposals in light of the already increased surveillance powers of LEAs and the absence of any real evidence that the proposed new powers are needed to ensure the security of Canadians.

II. Introduction

In late 2005, the federal government introduced legislation entitled the Modernization of Investigative Techniques Act (“MITA”; Bill C-74). The MITA would have required TSPs to ensure that their networks were capable of supporting interception by LEAs, and would have forced TSPs to hand over certain basic subscriber information upon request by police.  The MITA didn’t survive beyond first reading due to a general election. But in its short life, the Bill generated considerable opposition from the telecommunications industry as well as  from privacy and civil liberties communities.

In June 2009, the government re-introduced remarkably similar legislation entitled the Technical Assistance for Law Enforcement in the 21st Century Act (“TALEA”; Bill C-47). The TALEA was accompanied this time by another bill – the Investigative Powers for the 21st Century Act (“IP21C”; Bill C-46) – which proposed amendments to the Criminal Code designed to facilitate criminal investigations in the new electronic environment. The bills again generated significant opposition from those concerned with privacy and civil liberties. Privacy Commissioners from across the country passed a resolution expressing grave concern about the proposals. 1 The Bills were referred to Committee but were never reviewed and died on the order paper when Parliament was prorogued at the end of 2009.

As expected, the legislation reappeared in substantially the same form in the next session of Parliament. The Investigating and Preventing Criminal Electronic Communications Act (Bill C-52) and An Act to amend the Criminal Code, the Competition Act and the Mutual  Legal Assistance in Criminal Matters Act (Bill C-51), along with a third bill (C-50) addressing what one court 2 had found to be constitutional failings of warrantless 3 interception powers, were introduced in November 2010. Once again, the Privacy Commissioners collectively responded, this time with a letter to the Deputy Minister of Public Safety, expressing their continued concerns with the proposals – in particular, the “insufficient justification for the new powers”, the availability of less intrusive alternatives, the need for a more “focused, tailored approach”, and the need for effective oversight. 4 Bills C-50, 51 and 52 didn’t make it past first reading before another general election was called.  But it is widely expected that they will be re-introduced in the near future.

Together, these bills are referred to as “Lawful Access” initiatives – i.e., modifications of the rules regarding lawful access by police and other LEAs to otherwise private information about citizens. In this report, we use the term “Lawful Access” to mean the legislative proposals in question (rather than the existing set of rules permitting police access to private information).

In anticipation of the bills being reintroduced and making it to the committee stage, this report provides an in-depth legal/constitutional analysis of the proposals as they last appeared.  It explains the import of the proposals for fundamental rights and freedoms and assesses them in terms of citizen rights. It sets the proposals in the larger domestic and international context, briefly reviewing the experience with similar lawful access initiatives in other jurisdictions.

The report concludes that the massive expansion of state surveillance powers and capabilities that would be created by the Lawful Access proposals, along with the consequent invasions of privacy and chilling of free speech, is vastly disproportionate to any benefit that the proposals would provide in terms of crime reduction. It points out that the effect of the legal powers that these proposals would expressly grant to LEAs will be compounded by the real world context  of vastly more and richer personal data already available to police as a result of modern tracking devices and new communications technologies. As a result, the adverse impact on individual privacy of the kinds of investigations that would be facilitated by these new powers is much greater than was the impact on privacy of police investigations of similar investigations using  old technology. Yet the proposals are accompanied by no meaningful regime to ensure effective oversight or accountability.

After subjecting each of the main proposals to a detailed analysis under sections 8 and 1 of the Charter, the report concludes that some of the new powers are unlikely to survive constitutional scrutiny. Those that pass the constitutional test are questionable in any case on policy grounds because of their potential for abuse, the increased risk to security that they would cause and/or the lack of a compelling justification for them. The experience of other jurisdictions with similar legislative initiatives is reviewed, highlighting the potential for such risks to be realized.

III. The Need for Strict Controls on State Surveillance

“The vibrancy of a democracy is apparent by how wisely it navigates through those critical junctures where state action intersects with, and threatens to impinge upon, individual liberties. Nowhere do these interests collide more frequently than in the area of criminal investigation.” 5

Prior to the enactment of the Canadian Charter of Rights and Freedoms, LEAs in Canada  had broad powers of search and seizure. “Writs of assistance” could be obtained from a judge  of the Exchequer Court (now the Federal Court), without discretion to refuse, for the purpose of enforcing certain statutes. 6 Police officers armed with a writ of assistance could enter and search private homes without a search warrant specific to the investigation in question. Other legislative provisions gave police officers the right to enter any place, not just dwelling houses, to search for contraband. In general, the manner in which LEAs obtained evidence in the course of their duties was of no legal consequence, except in two specific contexts: obtaining confessions and electronic interception of private communications, which were subject to constraints under the common law and the Criminal Code, respectively. 7

Not surprisingly, such warrantless search powers were abused by police. In one infamous incident involving the raid of a Fort Erie tavern in 1974, “police physically searched almost all  of the 115 patrons and subjected the 35 women present to strip and body-cavity searches” in an attempt to find illicit drugs. 8 This outrageously disproportionate use of force produced a total of “six ounces of marijuana, most of which was located on the floor of the tavern as opposed to on articles of clothing or within bodily cavities”. 9

Consistent with the growing societal intolerance of such state intrusions, the Canadian Charter of Rights and Freedoms was entrenched as part of the Canadian constitution, and included a “guarantee of protection against unreasonable search and seizure” by the state. 10 This was a turning point in Canadian legal history, as it resulted in the striking down of writs of assistance and other broad statutory powers of warrantless search. It also prompted the development of statutory limits on state powers of surveillance. 11

Since 1982, the Supreme Court of Canada has faced an ongoing task under s.8 of the Charter  of balancing individual liberty rights and privacy interests with a societal interest in effective policing. In so doing, it has emphasized the importance of maintaining clear limits on state surveillance. As noted by Chief Justice Beverley McLachlin in a 2008 lecture focusing on the challenge of fighting terrorism while protecting civil liberties, the Court:

…[takes] an approach that starts with the primacy of rights and liberties, [and] permits the state to impose limits, but only where and to the extent that the state can justify these limits as reasonable in a free and democratic society.  By putting the burden on the government to justify infringements on rights  in the name of the broader public good, Canadian law palliates the  ever-present danger that rights and liberties will be eroded in the name of fighting terrorism. 12

The Court has made numerous statements about the need for strict constraints on police surveillance.  In R. v. Tessling, Binnie J. stated, for the Court:

Few things are as important to our way of life as the amount of power allowed the police to invade the homes, privacy and even the bodily integrity of members of Canadian society without judicial authorization. As La Forest J. stated in R. v. Dyment, … “[t]he restraints imposed on government to pry into the lives of the citizen go to the essence of a democratic state”. 13

LaForest J. elaborated on the point, stating as follows:

The needs of law enforcement are important, even beneficent, but there is danger when this goal is pursued with too much zeal. Given the danger to individual privacy of an easy flow of information from hospitals and others, the taking by the police of a blood sample from a doctor who had obtained it for medical purposes cannot be viewed as anything but unreasonable in the absence of compelling circumstances of pressing necessity; see R. v. Santa (1983), 23 M.V.R. 300, 6 C.R.R. 244 (Sask. Prov. Ct.), at p. 251. The need to follow established rules in cases like this is overwhelming. We would do well to heed  the wise and eloquent words of Brandeis J. (dissenting) in Olmstead v. United States, 277 US 438 at p. 479 (1928): "The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well - meaning but without understanding. 14

In a later case, R. v. Duarte, Justice La Forest for the majority further described this concern as follows:

... the regulation of electronic surveillance protects us from a risk of a different order, i.e., not the risk that someone will repeat our words but the much more insidious danger inherent in allowing the state, in its unfettered discretion, to record and transmit our words. The reason for this protection is the realization that if the state were free, at its sole discretion, to make permanent electronic recordings of our private communications, there would be no meaningful residuum to our right to live our lives free from surveillance. The very efficacy of electronic surveillance is such that it has the potential, if left unregulated, to annihilate any expectation that our communications will remain private.  A society which exposed us, at the whim of the state, to the risk of having a permanent electronic recording made of our words every time we opened our mouths might be superbly equipped to fight crime, but would be one in which privacy no longer had any meaning. As Douglas J., dissenting in United States v. White, supra, put it, at p. 756: “Electronic surveillance is the greatest leveler of human privacy ever known.” If the state may arbitrarily record and transmit our private communications, it is no longer possible to strike an appropriate balance between the right of the individual to be left alone and the right of the state to intrude on privacy in the furtherance of its goals, notably the need to investigate and combat crime. 15

Scholars have also addressed this issue, focusing in recent years on the challenges to individual privacy created by new technologies. Many have emphasized the importance of anonymity in allowing people to express unpopular ideas and be critical of those in power without risking retaliation or opprobrium. George Orwell’s fictional world where everything people say and do is monitored, recorded and scrutinized is widely acknowledged as antithetical to democracy and fundamental freedoms; indeed, many Canadian citizens fled here from other states precisely because of such state oppression.

In an article entitled “Why Privacy Matters Even if You Have 'Nothing to Hide'”, 16 American privacy law expert Daniel Solove delves further into the threats and harms of inadequately checked state surveillance. He points out that governments can aggregate seemingly innocuous bits of information about us into highly revealing profiles; that they can exclude us from knowing about and thus controlling uses of our personal information (especially in respect of national security investigations); and that the gathering of selective information about individuals often provides a distorted picture of the real person, resulting in faulty inferences.

We in Canada should not forget our own history of inappropriate state surveillance, including  the “dirty tricks campaign” of the RCMP during the 1970s. This shameful operation involved break-ins, arson and theft conducted by police officers against left-leaning press and political parties in the name of public safety. Deception (lying to the Minister) almost kept it secret until some participants admitted their actions. A public inquiry into the affair led to the transfer of the national security mandate to a new civilian agency, the Canadian Security Intelligence Service (CSIS) and the establishment of the Security Intelligence Review Committee, tasked with overseeing the operations of CSIS. 17

State surveillance activities, enhanced by the increasing powers of new technology, create significant risks to individual privacy and the maintenance of a free and democratic society.  Overly zealous law enforcement officers need to be held in check by clear limits on their actions, as well as an effective regime of oversight and accountability.

IV. Existing Legal Constraints on State Surveillance

The primary constraint on police powers in Canada is the Charter of Rights and Freedoms, section 8 of which states that “Everyone has the right to be secure against unreasonable search or seizure.” Section 8 jurisprudence has evolved considerably in recent years to accommodate informational privacy. Also relevant in terms of limits on police powers to access private data  are certain provisions of the Criminal Code, as well as private sector data protection legislation which places some limits on the ability of organizations to disclose such data to the police. This chapter provides an overview of constitutional and statutory constraints on electronic surveillance by the state.

Charter of Rights and Freedoms

Section 8: “Everyone has the right to be secure against unreasonable search or seizure.”

The constitutional right to be free from unreasonable search and seizure applies not just to property or territorial invasions, but to a broader notion of privacy including informational privacy. As Justice Dickson noted in the first major decision interpreting s.8 of the Charter, Hunter v. Southam, as with the fourth amendment in the United States, it “protects people, not places”. 18 As early as 1993, long before the ubiquity of electronic communications, Justice Sopinka noted the importance of informational privacy in the computer age, quoting from the Report of the Task Force on Privacy and Computers:

In modern society, especially, retention of information about oneself is extremely important. We may for one reason or another, wish or be compelled to reveal such information, but situations abound where the reasonable expectations of the individual that the information shall remain confidential to the persons to whom, and restricted to for the purposes for which it is divulged, must be protected. 19

The Court has since elaborated on the right to informational privacy under s.8 in a series of decisions involving, for example, the use by police of electricity records, 20 devices to measure electricity use in the home, 21 devices to detect heat emanating from the home, 22 tracking devices installed on cars, 23 sniffer dogs, 24 and trash left for pickup. 25

The initial test for application of s.8 hinges on whether or not the state intrusion violated a “reasonable expectation of privacy” on the part of the complainant. Only where the subject’s reasonable expectation of privacy was violated will the court find that a “search” or “seizure” under s.8 has occurred. If it is determined that a reasonable expectation of privacy was violated, a further inquiry is necessary to determine whether the search in question was authorized by a reasonable law and carried out in a reasonable manner. 26 If the search is found to have been so authorized and carried out, it will not offend s.8 even if it violated the individual’s reasonable expectation of privacy.

Where individuals are found to have been subjected to an unreasonable search or seizure,  the next question is whether admission of the evidence gathered via the unconstitutional  search/ seizure would bring the administration of justice into disrepute. If so, the evidence  is to be excluded, according to s.24(2) of the Charter. The exclusion of evidence under s.24(2) of the Charter thus serves as a safeguard for accused individuals who have been made  subject to unreasonable searches, as well as a strong deterrent to unreasonable searches  and seizures generally.

Where the authorizing legislation itself is being challenged as unconstitutional under the Charter, the next step – after determining that the search powers in question violate objectively reasonable expectations of privacy – is to determine whether the legislation can nevertheless  be justified under s.1 of the Charter as a “reasonable limit prescribed by law as can be demonstrably justified in a free and democratic society”. The party seeking to uphold the limit bears the onus of justifying it, according to the test laid out in R. v. Oakes (see below).

Reasonable Expectation of Privacy

When assessing whether an expectation of privacy is reasonable in a given case, the court has developed a two-stage test focusing on the totality of circumstances: (1) whether the individual concerned had a subjective expectation of privacy in the subject matter of the alleged search, and (2) whether that subjective expectation was objectively reasonable.27 In both cases, it is important to take heed of the Court’s caution that “Expectation of privacy is a normative rather than a descriptive standard.” 28 In other words, it should ultimately be determined by our notions of what should be the case, not by technology, business practices or state practices that may themselves offend privacy.

Subjective Expectation of Privacy

The test for subjective expectation of privacy is a “low hurdle and individuals are presumed  to have a subjective expectation of privacy regarding information about activities within the home”. 29  While “a person can have no reasonable expectation of privacy in what he or she knowingly exposes to the public, or to a section of the public, or abandons in a public place”, 30 personal information not so exposed or abandoned logically attracts a subjective expectation  of privacy on the part of the individual to whom it pertains. This conclusion is buttressed by the existence of comprehensive data protection legislation covering both public and private sectors across Canada.

Moreover, the Supreme Court has noted that the absence of a subjective expectation of privacy,

…should not be used too quickly to undermine the protection afforded by s.8 to the values of a free and democratic society.  In an age of expanding means for snooping readily available on the retail market, ordinary people may come to fear (with or without justification) that their telephones are wiretapped or their private correspondence is being read.... Suggestions that a diminished subjective expectation of privacy should automatically result in a lowering  of constitutional protection should therefore be opposed. 31

Where legislation itself is being challenged as unconstitutional under s.8, the existence of a subjective expectation of privacy is inapplicable, since there are many potential subjects in question each of whom may have a different subjective expectation. The key inquiry in such cases, therefore, is into whether or not there is an objectively reasonable expectation of privacy  in the subject-matter of the investigatory power being challenged.

Objectively Reasonable Expectation of Privacy

The objective reasonableness of an expectation of privacy in information must take into  account the “totality of the circumstances” of each particular case. 32 It will depend on  numerous factors, including the nature and quality of the information gathered as well as  the circumstances of the gathering.

Nature of the Information

It is well established that “information which tends to reveal intimate details about a person’s lifestyle and personal choices” or that constitutes a “biographical core of personal information” will attract a reasonable expectation of privacy. 33  But as Binnie J. explained in R. v. A.M.,

Not all information that fails to meet the "biographical core of personal information" test is ... open to the police. Wiretaps target electrical signals that emanate from a home; yet it has been held that such communications are private whether or not they disclose core "biographical" information. ...  The privacy of such communications is accepted because they are reasonably intended by their maker to be private... 34

In the context of sniffer dogs, the Court has found that s.8 protects “specific and meaningful information intended to be private and concealed in an enclosed space in which the accused  had a continuing expectation of privacy”. 35 What matters is “the significance and quality of  the information obtained about concealed contents, whether such contents are in a suspect’s belongings or carried on his or her person.” 36

Circumstances of the Information Gathering

As noted above, the totality of circumstances must be considered in each case. Relevant circumstances include:

  • the place where the alleged “search” occurred;
  • whether the informational content of the subject matter was in public view;
  • whether the informational content of the subject matter had been abandoned;
  • whether such information was already in the hands of third parties and if so, whether it was subject to an obligation of confidentiality;
  • whether the police technique was intrusive in relation to the privacy interest; and
  • whether the use of this evidence gathering technique was itself objectively unreasonable.


If it can be said that the privacy interest had been abandoned or waived, for example through failure to take measures to protect the confidentiality of the information where such measures were available, the Court will find against a reasonable expectation of privacy. 38

Whether the complainant had notice that the information could be shared with police for law enforcement purposes is clearly relevant. However, the effectiveness of such notice is also relevant.  In R. v. Gomboc, the Court was split as to the weight to be given to the existence of  a public regulation stating that the utility could share customer data with police and allowing customers to request confidentiality.  Four of the nine judges found that the regulation was but one of many factors to consider, while three found it determinative (since the complainant had failed to exercise his right to request confidentiality). The remaining two (dissenting) judges found that the regulation had no effect on reasonable expectations of privacy because:

The average consumer signing up for electricity cannot be expected to be aware of the details of a complex regulatory scheme – the vast majority of which applies to the companies providing services, and not to the consumers themselves – which permits the utility company to pass information on electricity usage to the police, especially when a presumption of awareness operates to, in effect, narrow the consumer’s constitutional rights. 39

Similarly, the terms of service as between a complainant and the party who shared the complainant’s information with the police is relevant. While the Supreme Court of Canada has yet to rule on this specific issue, it has been the focus of a number of lower court cases.  In general, courts have held that clear terms permitting a telecommunications service provider  to share customer information with the police in circumstances that include those in question  will destroy any objectively reasonable expectation that such information will not be so shared.40  Cases in which a reasonable expectation of privacy has been found tend to turn on an absence  of evidence regarding the customer agreement, or terms that do not clearly cover the circumstance in question. 41

Requirement for Prior Judicial Authorization

Prior judicial authorization, where feasible, is a precondition for a constitutionally valid search. 42  After repeating that the purpose of s. 8 of the Charter was to protect individuals against unjustified state intrusion, Dickson J. stated at p. 160:

That purpose requires a means of preventing unjustified searches before they happen, not simply of determining, after the fact, whether they ought to have occurred in the first place. This, in my view, can only be accomplished by a system of prior authorization, not one of subsequent validation. 43  [emphasis in original.]

Explaining this requirement further, Dickson J. stated:

The purpose of a requirement of prior authorization is to provide an opportunity, before the event, for the conflicting interests of the state and the individual to be assessed, so that the individual’s right to privacy will be breached only where the appropriate standard has been met, and the interests of the state are thus demonstrably superior. For such an authorization procedure to be meaningful it is necessary for the person authorizing the search to be able to assess the evidence as to whether that standard has been met, in an entirely neutral and impartial manner.  44

LaForest J. added to this reasoning in a later case involving s.8:

... if the privacy of the individual is to be protected, we cannot afford to wait  to vindicate it only after it has been violated. This is inherent in the notion  of being secure against unreasonable searches and seizures. Invasions of privacy must be prevented, and where privacy is outweighed by other societal claims, there must be clear rules setting forth the conditions in which it can  be violated. This is especially true of law enforcement, which involves the freedom of the subject. 45

In general, where no circumstances exist which make the obtaining of a warrant 46 to search  an office impracticable, and where the obtaining of a warrant would not impede effective law enforcement, a warrantless search cannot be justified and does not meet the constitutional standard of reasonableness. 47

However, referring to post-Southam Supreme Court decisions finding that prior authorization  is not required for customs searches at border crossings 48 or searches by school authorities, 49  Binnie J. has noted that the although the presumptive requirement for prior authorization remains, “the jurisprudence thus accepts a measure of flexibility when the demands of reasonableness require”. 50

Standard for granting search warrants

The standard for granting search warrants and production orders is critical insofar as a weaker standard is more likely to encourage the "fishing expeditions" that would be deterred by a stronger standard. In Southam, the Court held that prior authorization for searches and seizures should bebased on a standard of belief, not suspicion. In the words of Dickson J.,

...The purpose of an objective criterion for granting prior authorization to conduct a search or seizure is to provide a consistent standard for identifying the point at which the interests of the state in such intrusions come to prevail over the interests of the individual in resisting them. To associate it with an applicant’s reasonable belief that relevant evidence may be uncovered by the search, would be to define the proper standard as the possibility of finding evidence. This is a very low standard which would validate intrusion on the basis of suspicion, and authorize fishing expeditions of considerable latitude.  It would tip the balance strongly in favour of the state and limit the right of the individual to resist, to only the most egregious intrusions. I do not believe that this is a proper standard for securing the right to be free from unreasonable search and seizure. 51

Anglo-Canadian legal and political traditions point to a higher standard. The common law required evidence on oath which gave “strong reason to believe” that stolen goods were concealed in the place to be searched, before a warrant would issue. Similarly, section 487 of the Criminal Code authorizes a warrant only upon oath that there are “reasonable grounds  to believe” that there is evidence of an offence in the place to be searched.

In Hunter v Southam Inc., the Court set the following standard:

The state’s interest in detecting and preventing crime begins to prevail over the individual’s interest in being left alone at the point where credibly-based probability replaces suspicion. History has confirmed the appropriateness of this requirement as the threshold for subordinating the expectation of privacy to the needs of law enforcement. Where the state’s interest is not simply law enforcement as, for instance, where state security is involved, or where the individual’s interest is not simply his expectation of privacy as, for instance, when the search threatens his bodily integrity, the relevant standard might well be a different one. 52

The applicability of this standard was confirmed by the Supreme Court in a 1992 case involving the constitutionality of a statutory provision authorizing search and seizure of records relating to income tax:

Section 231.3(3)(b) [of the Income Tax Act], requiring the authorizing judge  to be satisfied that a document or thing which "may afford evidence" is  "likely to be found", does not water down the minimum constitutional standard for the probability that the search will unearth evidence. The need to protect individuals against unreasonable searches in the form of "fishing expeditions" by the state has been recognized. A standard of credibly based probability rather than mere suspicion must be applied in determining when an individual's interest in privacy is subordinate to the needs of law enforcement. 53

In recent years, the Court has held that the application of a lower evidentiary standard for authorizing or proceeding with a search is acceptable in certain circumstances if prescribed by legislation that can be reasonably and demonstrably justified in a free and democratic society. 54 Indeed, some Supreme Court judges have explicitly encouraged the adoption of such legislated standards in the context of tracking devices.  As Cory J. stated in R. v. Wise:

I agree with my colleague that it would be preferable if the installation of tracking devices and the subsequent monitoring of vehicles were controlled by legislation. I would also agree that this is a less intrusive means of surveillance than electronic audio or video surveillance.  Accordingly, a lower standard such as a "solid ground" for suspicion would be a basis for obtaining an authorization from an independent authority, such as a justice of the peace, to install a device and monitor the movements of a vehicle. 55

LaForest, J., dissenting from Cory J. in the result, agreed that lower evidentiary standards might be appropriate in certain cases but emphasized the need for full justification:

Given the somewhat less intrusive nature of this means of surveillance, if properly controlled, than electronic audio or video surveillance, a case might be made for empowering a judicial officer in certain circumstances to accept a somewhat lower standard, such as the "solid ground" for suspicion which the peace officers claimed here, if it can be established that such a power is necessary for the control of certain types of dangerous or pernicious crimes...Still this should not be permissible in the absence of cogent reasons. 56 (emphasis added)

A lower evidentiary standard may be acceptable even where not prescribed by legislation.

While a strong minority of judges in the 2008 “sniffer dog” cases refused to apply a  suspicion-based standard in the absence of a legislative regime prescribing it, a majority  of judges would have done so as a matter of common law in that case, given the “minimal intrusion, contraband-specific nature and pinpoint accuracy of a sniff executed by a trained  and well-handled dog”. 57 As these judges pointed out, the Court has applied a lower,  pre-Charter common law test for state intrusion in some s.8 cases, notably those involving forced entry in response to a 911 call, 58 bodily searches incidental to an arrest 59 and investigative detention 60 without warrant. That test has been articulated by the Court as follows:

The interference with liberty must be necessary for the carrying out of the particular police duty and it must be reasonable, having regard to the nature of the liberty interfered with and the importance of the public purpose served by the interference. 61

In a recent decision involving the monitoring of electricity usage flowing into a home by way of a special device, the Chief Justice and Fish J., dissenting from the majority by finding that such police surveillance did invade the accused’s reasonable expectation of privacy, then went on and applied the common law test for whether such a state intrusion was authorized by law. Finding that the warrantless use of the device by the police failed the second branch of the common law test, they reasoned that:

This is not a case like Kang-Brown where police used a sniffer dog to detect drugs in the bag of a suspicious-looking person at a bus station. A police “stop and search”, by virtue of its exigent nature, provides a more compelling reason for expanding common law police powers than a situation like the present where a warrant can be obtained in a timely fashion with appropriate grounds. 62

Thus, common law does not permit state agents to forego the requirement for prior authorization except in exigent circumstances. The Supreme Court has yet to rule on whether a statutory provision permitting warrantless searches in non-exigent circumstances would survive constitutional challenge, 63 or on the constitutionality of legislation applying the lower  suspicion-based standard. 64

Agents of the State

Police cannot avoid the application of the Charter by doing indirectly what they cannot do directly. In this respect, courts have developed a test for determining when a private party is acting as an agent of the state. This test, first articulated by the Supreme Court of Canada in  R. v. Broyles, 65 a case in which a private citizen was used by police to record a conversation  with an accused in a jail cell, is as follows: “would the exchange between the accused and the informer have taken place, in the form and manner in which it did take place, but for the intervention of the state or its agents?” 66

In subsequent cases applying that test, the Court has found that mere co-operation between a vice-principal of a school and the police was insufficient to establish that the vice-principal’s search of a student was conducted any differently due to police intervention, or that the  vice-principal was a police agent. 67 Security guards who acted independently in initiating a search of a bus depot locker, were found not to be acting as state agents, as their relationship with the police developed only after that search. 68 In a case involving a blood sample obtained  by a doctor, the Supreme Court acknowledged that there are some circumstances where a doctor clearly acts as an agent of the state. But where the sample is not taken pursuant to the  Criminal Code, or at the request of the police, there is no agency relationship for the purposes  of the Charter. 69

Courts of Appeal decisions shed further light on what turns voluntary private action into cooperation amounting to state agency. In a case involving Internet Service Provider (“ISP”) disclosure of an accused’s e-mail to the police, the Alberta Court of Appeal held that the ISP  was not acting as an agent of the state prior to its contact with police because “[a]t that point,  the ISP was simply performing a routine repair of the appellant's electronic mailbox at his request,” but that the ISP “was acting as an agent of the state when it forwarded a copy of the message to the police at the request of the police officer.” 70 Where a security guard initiated an inquiry because of her own safety concerns and her private duties to the mall, she was found not to have been acting as an agent of the state when she inquired about the item in the respondent’s hands. 71 And while merely answering questions from the police about the period of time that a blood sample would be retained by the hospital does not turn a doctor/hospital into an agent of the state, retaining the blood sample beyond the normal hospital retention period upon request of the police, solely for the purpose of the police, does turn the doctor/hospital into an agent of the state. 72

Section 1: The Canadian Charter of Rights and Freedoms guarantees the rights and freedoms set out in it subject only to such reasonable limits prescribed by law as can be demonstrably justified in a free and democratic society. 

According to the test laid out by the Supreme Court of Canada in R. v. Oakes, 73 two requirements must be satisfied to establish that a legislated limit “of a Charter right” is reasonable and demonstrably justified in a free and democratic society. First, the legislative objective which the limitation is designed to promote must be of sufficient importance to warrant overriding a constitutional right. It must bear on a “pressing and substantial concern”. Second, the means chosen to attain those objectives must be proportional or appropriate to the ends. The proportionality requirement has three aspects: the limiting measures must be carefully designed, or rationally connected, to the objective; they must impair the right as little as possible; and their effects must not so severely impinge upon individual or group rights that the legislative objective, albeit important, is nevertheless outweighed by the abridgement of rights.

As the Court stated in a later case, this test is ultimately concerned with “whether the benefits which accrue from the limitation are proportional to its deleterious effects”. 74

In a number of cases, the Supreme Court has found that while random spot checks by police do violate the right under s.9 of the Charter of drivers “not to be arbitrarily detained”, they are justified under s.1 as reasonable limits, given the statistics relating to the carnage on the highways, the nature and degree of the intrusion of a random stop for the purposes of the spot check procedure, and the fact that the driving of a motor vehicle is a licensed activity subject to regulation and control in the interests of safety. 75 As stated by the Court in R. v. Ladouceur:

The means chosen was proportional or appropriate to those pressing concerns.  The random stop is rationally connected and carefully designed to achieve safety on the highways and impairs as little as possible the rights of the driver.  It does not so severely trench on individual rights that the legislative objective is outweighed by the abridgement of the individual's rights.  Indeed, stopping vehicles is the only way of checking a driver's licence and insurance, the mechanical fitness of a vehicle, and the sobriety of the driver. 76

Now under appeal before the Supreme Court of Canada, a 2008 decision of Davies J. of the British Columbia Supreme Court held that s.184.4 of the Criminal Code, which authorizes interception of private communications without prior judicial authorization in certain circumstances, violates s.8 of the Charter and is not saved by s.1 because of the lack of  adequate safeguards against state abuse of the provision. 77 Judge Davies enumerated the many additional safeguards applicable to interceptions under other provisions of the Code that could be applied, but have not been applied, to s.184.4 interceptions. 78 A judge of the Ontario Superior Court also found s.184.4 constitutionally wanting, but in only two respects, each of which could in his view be remedied either by severance or “by reading down”. 79 Bill C-50, introduced by the government in the last session of Parliament, would have added some of the safeguards to s.184.4 that the lower courts noted were missing.

The Criminal Code

In addition to constitutional limits on state surveillance are statutory constraints (themselves subject to constitutional challenge). The Criminal Code sets out a regime for state intrusions  on individual privacy, distinguishing between real-time interception of private communications (Part VI) and search and seizure (Part XV – ss.487ff). In general, it applies the highest  standard of protection against state intrusion to real-time interception of communications  and video surveillance.

Interceptions are permitted only for the purpose of investigations of those serious offences listed in s.183. In cases of interception with consent (most commonly, an informer), police must obtain prior authorization on the basis of reasonable grounds to believe that one of the listed offences has been or will be committed and that information concerning the offence will be obtained via the interception. 80 Prior authorization is not required for interceptions with consent of one party where certain other conditions apply (to prevent bodily harm 81 or in a situation of urgency), 82 but the party conducting the interception must nevertheless have reasonable grounds to believe  that the specified conditions exist. Interceptions without consent are permitted only if a judge (not justice of the peace) is satisfied that (a) there is no other feasible, less intrusive method of obtaining the evidence (unless the investigation regards organized crime or terrorism), and (b) the interception is in the best interests of the administration of justice. 83

Ex post facto safeguards for real-time interceptions include annual reporting requirements and  a requirement to notify the subject of the interception within 90 days of the end of the authorization period. 84

Other state powers of search and seizure, including production orders and tracking warrants,  are subject to a completely different regime. They are not limited to particular serious offences. Nor do they include ex post facto reporting or notification requirements. Prior authorization can be obtained from a justice of the peace as opposed to a judge, and is not required in exigent circumstances. 85 Evidentiary standards vary according to the type of search or order sought.  General search powers and production orders, like interceptions, require reasonable grounds to believe that an offence has been or will be committed and that the information to be obtained  will afford evidence respecting the offence in question. 86

However, tracking warrants, warrants to use telephone number recorders, and production orders for specific financial account information are all subject to a lower evidentiary standard, presumably on the basis that they represent a lesser intrusion into individual privacy. 87 In the case of tracking warrants, the justice must be satisfied that there are reasonable grounds to suspect that an offence has been or will be committed and that information relevant to the offence can be obtained through the use of the tracking device. 88 Warrants for dial number recorders and production orders for specific financial account data are both available on the  basis of reasonable grounds to suspect that an offence has been or will be committed and that information obtained will assist in the investigation of the offence. 89

Data Protection Legislation

LEAs are also indirectly limited in their data collection activities by data protection legislation, which places restrictions on the right of organizations to divulge “personal information”  (defined as any information about an identifiable individual) to others without the individual’s consent. Telecommunications service providers are federally regulated, and so the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) applies to them.

Under PIPEDA, TSPs are permitted to disclose personal information to LEAs if they have  the individual’s consent or if they are required to do so by court order, warrant or subpoena. 90  They are also permitted to disclose such information to police on their own initiative if they  have reasonable grounds to believe that the information relates to an offence or if they suspect that it relates to national security. 91 Finally, they may provide personal data in response to a request by a law enforcement agency that has “identified its lawful authority to obtain the information” and has indicated either that it “suspects that the information relates to national security”, or that it is requesting the information for the purpose of (a) investigating or enforcing a domestic or foreign law, or (b) administering a domestic law. 92 But unless they are required to disclose the information by court order, for example, TSPs can refuse to do so.

V. The Changing Context

Far from "Going Dark" as a result of advances in technology, the FBI and other law enforcement agencies are experiencing a boon in electronic surveillance. 93

The Criminal Code provisions on interception of private communications and search and seizure were designed in the pre-internet era, when people communicated across distances largely by telephone and postal mail. The content of one’s telephone communications was ephemeral  (other than in exceptional circumstances), and the content of one’s postal communications was unrecorded (except possibly by the sender or recipient).

The internet – and other new technologies – has changed all that.  Now people communicate to an increasing extent by electronic mail, online social networking, online chat and text messaging – digital modes that automatically record not only the message but the transmission information surrounding it. We also use the internet to seek information of interest to us, to engage in transactions and to share information with others through websites and social networking sites.  All of this online activity leaves a digital trail that cannot be easily hidden and that can never  be fully erased. Our digital trails are stored on computer servers operated by service  providers as well as on our own personal computers, where they are available for lawful  (and unlawful) access.

Electronic exchange has thus superseded voice as the main way in which we communicate other than face-to-face. We now send e-mails or text messages instead of telephoning friends.  Information that in the past was obtainable only by real-time interception is now available via much less onerous searching, long after the fact. Most of us don’t give much thought to the privacy implications of these powerful new methods of communication – we simply trust that our private communications will stay out of prying hands. The same privacy interest inheres in the communication: only the mode has changed.

With digital technologies, as soon as a text or email communication takes place it is immediately stored on a server somewhere in the world that is remotely accessible by authorized third-parties. The implications of this for LEAs are enormous: no longer must an intelligence or police officer be physically proximate to the communication, wait patiently for a communication to occur,  or await the delivery of physical copies of messages after they arrive in a storage location.  Now authorities can remotely access communications in near-real-time; 94 close enough to when the communication take place as to provide comparable response capabilities as with  a real-time communication.

Moreover, we are exchanging and exposing exponentially more information about ourselves now as a result of these electronic technologies than we did in the past. Some of this exposure is voluntary and informed – e.g., personal websites of adult professionals. Much is voluntary but uninformed – think of young people’s Facebook profiles, the record of your book purchases on, or all those “user agreements” that you click “I agree” to without reading.  And some is neither voluntary nor informed – e.g., information about us posted by others, or online communications to us from others. Regardless, the information that we leave in our digital footprints is far more extensive than was the information that we left in our voice and written communications just twenty years ago. It reveals details about our social circles, our friendships and love lives, our professional activities, our business plans, our political leanings and our religious affiliations, to mention just a few potentially sensitive topics.

In addition to the digital trails we leave online are the digital trails that we now leave in the offline context. We use automatic teller machines rather than waiting in line at the bank.  We use debit and credit cards instead of cash. We store our voice mail on computers owned by the telephone company rather than on machines in our homes and offices. We use RFID-enabled access cards rather than keys to access our offices and apartments. We use Global Positioning System (“GPS”) enabled mobile telephones that track our whereabouts, rather than public payphones that can’t be traced to us. We use electronic road tolls rather than stopping to pay in cash. This data can reveal exactly where we went, at exactly what time, and for what purpose, from the time we rise in the morning to the time we go to bed.

Furthermore, new technologies allow businesses and others to compile these digital trails into highly revealing personal profiles at very little cost or effort. In fact, any business that does not accumulate and analyze its customer information, for its own purposes if not for the purpose of sharing with others, is now seen as wasting a valuable commercial resource. Loyalty cards are hugely popular among consumers, allowing companies to amass an ever-richer profile of each consumer. Our credit histories are collected, stored, and sold by companies we don't even know exist. An entire industry of data-brokers has emerged to capitalize on the profit to be made from mining and selling this information. The personal profiles thus compiled can reveal more about us than we ourselves appreciate.

Authorities thus now have available to them a veritable goldmine of personal data, unlike anything available to them in the past. Much of this information is publicly available, and  value-added versions of it can be purchased on the open market. Investigators need only sit at a computer to find evidence of illegal activity and begin tracing it to a suspect. Individuals often disclose intensely personal and revealing information about themselves online, under pseudonyms and usernames, assuming that their privacy is protected by a cloak of anonymity.  All that is needed to complete the package is a name and address.

And vastly more information is now available to authorities when they do get permission to track individuals via GPS-enabled devices or transmission data recorders, or to obtain subscriber/user records from service providers. Telephone numbers have been replaced with transmission data that provides precise information about routing, signalling, origination and destination addresses.

Tracking devices can now be remotely activated and adjusted, enabling 24 hours a day  “dragnet” surveillance at minimal cost – i.e., a complete technological replacement for  physical human surveillance.

As Daniel Solove points out,

Technology is giving the government unprecedented tools for watching people and amassing information about them - video surveillance, location tracking, data mining, wiretapping, bugging, thermal sensors, spy satellites, X-ray devices, and more. It’s nearly impossible to live today without generating thousands of records about what we watch, read, buy, and do–and the government has easy access to them.


The context of police access to information has thus changed dramatically, even just over the past decade. There is now far more information, and far richer information, about individuals freely available to LEAs. A similarly larger body of richer information is also now available to LEAs through interceptions, searches and production orders than was ever available in the past. At the same time, technological developments continue to further facilitate and enhance surveillance of others, authorized or not. Yet the privacy interest in such information has not changed - individuals are just more vulnerable now to privacy invasions than ever before.

Proponents of Lawful Access argue that “[l]egislation must be modernized in order to keep pace with modern communications technology and give investigators the tools they need to perform complex investigations in today’s high-tech world”. 96 There is indeed a need to “modernize” criminal laws to take into account these new realities. But the new reality actually makes available to police more, not less, information about us. Legislative modernization therefore needs to provide for stronger, not weaker, controls on state surveillance.

VI. The Proposals


The proposed new laws and amendments break down into two types: those enhancing the legal powers of police to engage in search and seizure, and those enhancing the practical ability of police to exercise their powers. In the latter category is the proposal to require that all telecommunications service providers be capable of facilitating interceptions by authorized government agents. The remaining proposed law reforms fall into the former category.

The proposals would make numerous changes to the statutory powers governing state access  to private information in the course of law enforcement investigations. With one exception (tracking warrants for devices carried or worn by individuals), these reforms would give law enforcement agents greater powers to access information, either by expanding the scope of certain warrants, providing a means to ensure that potentially relevant information is preserved while a production order is being sought, lowering the applicable standard for obtaining certain orders and warrants, or, in the case of subscriber data as well as preservation demands, eliminating the need for prior authorization at all.

To the extent that this law reform initiative is designed to bring more clarity to the rules governing certain aspects of search and seizure, it is to be welcomed. The Supreme Court has struggled in recent years when applying the Charter to informational privacy in the context of rapidly changing technologies and social practices, without clear legislative standards. 97  However, it is misleading to characterize these reforms as mere clarification or “modernization” of the law – jurisprudence on the common law and constitutional validity of the proposed standards and measures is mixed, and the “modernization” that these proposals would bring about does not simply maintain existing state powers – it expands them, significantly.

Each proposal is described and analyzed below.

Mandatory Intercept Capability by Telecommunications Service Providers

Following the lead of other jurisdictions including the United States (US), United Kingdom (UK) and Australia, Canada is proposing to compel TSPs to be technically capable of intercepting communications over their networks and of providing such intercepted communications to authorized law enforcement officials. 98 TSPs would be required to isolate communications to a particular individual and to enable simultaneous interception of multiple communications as well as simultaneous interceptions by law enforcement authorities from multiple jurisdictions. 99 TSPs would be required to decrypt intercepted communications that are encrypted (or otherwise made unreadable by a TSP) if they have the means to do so. 100 TSPs would also be required to assist in testing police surveillance capabilities 101 and to disclose the names of all employees who may be involved in interceptions (and who may therefore be subject to RCMP background checks). 102 Failure to comply with these obligations would be subject to significant financial penalties.


This proposal would not expand police powers as such; the same rules for authorizing interceptions would continue to apply. It would, however, significantly expand police ability  to engage in interception of communications when they have obtained authority to do so.  It can thus be expected to result in a significant increase in wiretaps by LEAs.

Although we look to legal constraints rather than technical obstacles to limit state surveillance, there is reason to be concerned about the “architecture of surveillance” that mandatory intercept capability would create. With the inevitable increase in interception as a result of this surveillance-ready infrastructure, there will be an even greater need for effective oversight and safeguards against abuse. Yet the package of proposals for increased Lawful Access includes no change to the inadequate oversight regime that currently exists.

Another serious concern with this proposal is the increased vulnerability of personal data to unauthorized access that it will create. By requiring TSPs to maintain a “back door” for law enforcement surveillance, the state is creating a heightened risk that hackers will exploit that back door for their own, possibly criminal, purposes. As IBM researcher Tom Cross noted when describing security vulnerabilities in Cisco’s wiretapping architecture, these weaknesses would let a criminal “produce a request for interception that had a valid username and password, thus enabling him to get the fruits of a wiretap.” 103

Indeed, this is exactly what happened to Google in late 2009: Chinese hackers were able to take advantage of a system to help Google comply with state demands for data on Google users, in an apparent effort to access the Gmail accounts of Chinese human rights activists. 104

Governments themselves may find it too tempting not to take advantage of a greater capacity  to engage in real-time surveillance without proper legal authority. After the terrorist attacks  of 2001, the US National Security Administration (NSA) built a surveillance infrastructure to eavesdrop on communications to and from foreign sources. A national controversy erupted after it was discovered that this surveillance program had been used to spy on domestic as well as foreign communications, contrary to US law. 105 More recently, the NSA admitted that it had “been engaged in over-collection” of domestic email messages and phone calls in the course of its foreign intelligence activities. 106

Perhaps the most chilling example of unauthorized use of technical intercept capability is that which occurred in Greece between June 2004 and March 2005, at the time of the Greek Olympics. Using wiretapping capability that Ericsson had built into Vodafone’s projects for use by governments, an unauthorized person or entity managed to wiretap more than 100 cell phones belonging to the prime minister and senior government officials. 107

Before requiring TSPs to compromise network security by creating access points for law enforcement, there needs to be a thorough review and analysis of vulnerabilities that would  be thereby created, so as to minimize the potential for unauthorized access. Before forcing  these costly and undesired measures upon the private sector, the government owes a duty to Canadians to ensure that the intercept capability it is forcing on TSPs for the alleged purpose  of enhancing their security will not in fact have the opposite effect of compromising the security of their communications.

Finally, proposals to require TSPs to configure their networks so as to facilitate state surveillance effectively deputize private actors in criminal investigations by the state. While this aspect of the proposed legislation is unlikely to be found unconstitutional, 108 it raises serious issues as to the point beyond which states should not be allowed, legislatively or otherwise, to forcibly enlist private actors in the conduct of what is indisputably state business. The fact that other countries have implemented similar requirements, or that Canada has agreed by treaty to do so, 109 does not make such measures appropriate in a free and democratic society.

Warrantless Access to Subscriber Data

This, the most criticized of the “Lawful Access” proposals, would require TSPs to provide specified subscriber information to designated law enforcement officers upon request, without prior judicial authorization and without any requirement for reasonable grounds. 110 While TSPs are arguably now permitted to disclose such information to LEAs in the absence of a warrant, 111 they can refuse to do so and apparently some do. This provision would thus expand the power of law enforcement to demand certain investigatory information from TSPs who would otherwise require a warrant before providing the requested information.

Subscriber information vulnerable to such requests would include “name, address, telephone number and electronic mail address of any subscriber to any of the service provider’s telecommunications services and the Internet protocol address, mobile identification number, electronic serial number, local service provider identifier, international mobile equipment identity number and subscriber identity module card number that are associated with the subscriber’s service and equipment”. 112 Such information is particularly valuable insofar as it allows police to link anonymous online activity and communications with an individual name.

The proposed new power would be available to a finite number of designated law enforcement officials 113 for the purposes of performing duties or functions of a police service, the “CSIS”, or the Commissioner of Competition, including for the enforcement of foreign laws. 114 The number and type of law enforcement officials who could exercise this power would thus be much fewer than the broad category of “peace officers” and “public officers” authorized to apply for search warrants and production orders under the Criminal Code.

But no condition beyond fulfilling a duty or function of the agency – not even suspicion of illegal activity – would be required for a designated official to demand this information. There would be no limit to the number of requests that could be made or to the type of offences for which this unprecedented investigatory power could be used.

Requests would normally have to be made in writing by designated officials only. However,  in situations where a non-designated police officer believes on reasonable grounds that the information requested is immediately necessary to prevent an unlawful act that would cause serious harm to any person or to property, where the information sought directly concerns either the victim or the perpetrator, and where the officer believes on reasonable grounds that the urgency of the situation demands an immediate response, the officer would be empowered to obtain the information merely upon verbal request. 115

While there is no “gag order” provision in the statute itself, the proposed law provides for regulations to be made “prescribing any confidentiality or security measures with which the telecommunications service provider must comply”. 116 Such regulations could apply generally  or to particular classes of TSPs. 117 It can therefore be expected that TSPs will be under a regulatory obligation not to disclose the existence or content of the request.

There is no provision for TSPs to challenge the warrantless demands other than by refusing to provide the requested information. Such refusals are highly unlikely given the considerable consequences to TSPs, who could be charged with an offence punishable by a fine of up to $250,000 per day of refusal. 118 Moreover, individuals whose subscriber information is  disclosed to police under this provision would not be given notice after the fact  (as are subjects of wiretaps. 119

Although the proposed new law explicitly limits secondary uses of subscriber information gathered under this power, it would allow law enforcement and intelligence agents to use the information without the individual’s knowledge for purposes “consistent with” the original purpose for which it was obtained. 120 In the context of intelligence, there is no real limit on information gathering – all information about a suspect is potentially relevant. Once again, there is no after-the-fact notice provision ensuring that the subscribers in question are aware, let alone consent to, such uses.

The proposal would require that each agency keep records of each request, including the  duty or function under which the request was made and the relevance of the information to  that duty or function. Each agency would also be required to conduct internal audits of its practices under these provisions on a regular but unspecified basis, and to report to the responsible minister about “anything arising out of the audit that in his or her opinion should  be brought to the attention of that minister...” 121 The proposals also include provisions for discretionary auditing by the Office of the Privacy Commissioner of Canada (of the RCMP  and Competition Bureau) and the Security Intelligence Review Committee (of CSIS), but such provisions are redundant given that those bodies already enjoy such audit powers. 122 There is no provision for auditing of municipal or provincial police force use of this new power.

Charter Analysis

Reasonable Expectation of Privacy in Subscriber Data

The first question in an analysis of whether this proposal is Charter compliant is whether the data in question (name, telephone number, addresses, IP address, etc.) attracts an objectively reasonable expectation of privacy.

This subject has never been fully addressed on appeal, with one appellate court simply commenting in obiter on the unsettled state of the law. 123 Lower courts have found both for 124 and against 125 a reasonable expectation of privacy in subscriber information. While the latter category of decisions is greater in number, the reasoning in such cases lacks consistency and it is therefore difficult to deduce clear principles other than regarding the significance of service agreements between subscribers and service providers.

Nature and Quality of the Information

On its face, subscriber information clearly does not reveal “intimate details about a person’s lifestyle and personal choices”, nor does it constitute a “biographical core of personal information”. However, subscriber information is never requested by police for its intrinsic value; rather, this information is valuable to police precisely because of its link to highly personal, intimate and in many cases incriminating information that the police have already amassed.  As the judge in one case reasoned:

Once the police accessed Mr. Cuttell’s name and address, they were able to link his identity to a wealth of intensely personal information. Linking his name to the shared folder under his IP address, police learned a great deal about Douglas Cuttell and his lifestyle: namely in this case, his interest in adult pornography, obscenity and child pornography, which were all revealed by his choice of shared files. 126

None of that information in the public domain was meaningful to police until it was associated  to Mr. Cuttell himself. More importantly in terms of privacy, none of that information was significant to Mr. Cuttell’s privacy until it was linked to him personally. It was only once his identity was known that his privacy was invaded.

This point was made in the context of banking records in R. v. Eddy where the Newfoundland Supreme Court held that:

The linkage of a name to [account] information creates at once the intimate relationship between that information and the particular individual, which is  the essence of the privacy interest. I do not accept the Crown’s suggestion that the mere obtaining of the name of the owner of an account about which information is already available is not deserving of protection under s.8. 127

As some commentators have emphasized,

The point cannot be sufficiently underscored: typical subscriber information of the sort made available under the proposed legislative scheme will become the means by which a biographical core of personal information is assembled. 128

The value of subscriber information as a key to unlocking anonymous information already amassed (as well as troves of additional sensitive personal information) distinguishes it from other information that police seek in the context of criminal investigations. While transaction records, billing statements, utility records and other information gathered during an investigation add to each other like pieces of a puzzle, none of which is sufficient on its own to establish culpability, these kinds of personal data do not serve as a critical link to biographical core information that has already been gathered and that is often incriminating on its own – all that is needed is a name to attach to the anonymous suspect.

Moreover, the very fact that a person has used a pseudonym or otherwise concealed his or her identity in the context of online communications is clear evidence that the person considers his or her identity, in that context, to be private. Similarly, an unlisted telephone number is a clear indication of the subscriber’s expectation of privacy in that number. Once linked with incriminating or otherwise sensitive information, there can be no question that non-public subscriber information constitutes “specific and meaningful information intended to be private and concealed”, and thus attracts a reasonable expectation of privacy. 129

This conclusion is further supported by the fact that data protection legislation in Canada recognizes the significant privacy value inherent in subscriber data and prohibits TSPs from disclosing it to non-governmental third parties for the purpose of identifying alleged civil wrongdoers without a subpoena, warrant or court order. 130 Indeed, in civil cases involving requests for disclosure of subscriber information, typically for the purpose of defamation  and copyright infringement lawsuits, courts have noted the importance of privacy in one’s identifying information. 131

There would therefore appear to be an objectively reasonable expectation of privacy in subscriber data – at least in those cases where it functions as a link to “specific and meaningful information intended to be private”. 132 But the analysis of whether an objectively reasonable expectation of privacy exists must also consider the circumstances under which subscriber information would be provided to police under the proposed new regime.

Circumstances of the Information Gathering

Location is not material since the proposed new power is in the nature of a production order rather than a physical search. Nor is the technique used by police to obtain the evidence – a written request and, in exceptional circumstances, a verbal request – of any import in the  privacy analysis.

It is however relevant that this information is not in public view (otherwise the police would not have had to request it from the TSP). Rather, it is a private record belonging to the TSP. Although subscribers knowingly provide this information to the TSP, they do so because they must in order to obtain the service; it cannot be said therefore that subscribers abandon the information when they provide it to the TSP. Indeed, the TSP is under a legal obligation to keep this information secure from unauthorized access 133 and confidential, except for specific purposes set out in legislation. 134

The terms of the subscriber agreement are also relevant and have indeed been determinative in many cases decided to date on this issue, with lower courts remarkably consistent in their treatment of this factor. If the terms of service clearly allow for the disclosure of subscriber information to police, courts have found there can be no reasonable expectation of privacy in that information. 135 In those cases where a reasonable expectation of privacy was found, evidence concerning the nature of the service agreement was either not available or not considered. 136

Widespread as it is, this treatment of subscriber agreements fails to take into consideration the extent to which the terms of service unilaterally imposed by TSPs on subscribers constitute a voluntary “agreement” in any meaningful sense – i.e., the extent to which subscribers are made aware of the term regarding disclosure, whether subscribers have any choice in accepting this term, whether subscribers have available to them alternative service providers that do not require consent to such disclosures, and the extent to which it is reasonable to expect individuals to take such clauses into account when selecting service providers. As the dissenting Supreme Court judges in R. v. Gomboc noted, courts should be cautious in presuming awareness of a regulation where such presumption operates to narrow constitutional rights. 137 The same applies to presumptions of voluntariness in the context of mass market agreements.

But even if terms of service are treated as voluntary informed agreements sufficient to negate an otherwise reasonable expectation of privacy, such terms will vary among agreements and service providers. Indeed, it can be expected that some TSPs will distinguish themselves by not requiring that their subscribers agree to a term permitting disclosure to police (they do not need to obtain consent for mandated disclosures). Without knowing that the terms of the agreement in any given case provide for disclosure to police, the government cannot defend warrantless access to subscriber data on that basis.

Some courts have treated as relevant the fact that TSPs are permitted, under PIPEDA, to disclose subscriber information to LEAs upon request, as long as the agency has “identified its lawful authority to obtain the information”. 138 With respect, this reasoning reflects a misunderstanding of PIPEDA. As noted by the court in R. v. Cuttell, PIPEDA governs private organizations, not the police. 139 While it permits TSPs to disclose subscriber information to government authorities with “lawful authority” to request the information, such permission in no way authorizes police to obtain subscriber data without a court order. All that PIPEDA does in this respect is to leave it up to the TSP to determine whether or not the data requested attracts a reasonable expectation of privacy and thus whether or not a warrant is required. (As noted below, this is an unrealistic approach: TSPs cannot be expected to make legal/constitutional determinations before responding to each request for subscriber data.)

The possibility that some subscribers will have a reasonable expectation of privacy in their  name and address means that a general approach ignoring that fact will be inconsistent with  the Charter. That is the case with the proposal in question: it is incorrectly premised on the assumption that subscriber name and address can never attract a reasonable expectation of privacy. As long as any subscribers have reason to expect that their name and address will not be disclosed to police by their TSP in the absence of a court order or warrant, the only general rule that will pass Charter scrutiny is one that respects that privacy interest.

Section 487.014 of the Criminal Code has also been treated as relevant to the analysis of  whether subscribers have a reasonable expectation of privacy in their name and address.  It states as follows:

487.014(1) For greater certainty, no production order is necessary for a peace officer or public officer enforcing or administering this or any other Act of Parliament to ask a person to voluntarily provide to the officer documents, data or information that the person is not prohibited by law from disclosing.

In R. v. McNeice, a B.C. court found that:

absent a finding of state agency, s.487.014(1)provides the police with lawful authority to make a PIPEDA request for subscriber information, which an ISP is not prohibited by law from disclosing if it falls within the provisions of s. 7(3)(c.1)(ii) of PIPEDA. 140

The Court seemed oblivious to the circularity of its reasoning. Regardless of whether the TSP  is acting as an agent of the state in responding to warrantless police requests for subscriber information, this clause cannot serve as “lawful authority” under s.7(3)(c.1) of PIPEDA while at the same time relying on s.7(3)(c.1) to permit the disclosure. Section 487.014 does not therefore affect the analysis of a reasonable expectation of privacy in subscriber data.

In summary, the circumstances of the information collection being proposed – private information collected from private entities, not abandoned, subject to unknown terms of confidentiality as between the subscriber and the TSP, and not subject to any other statutory regimes that negate a reasonable expectation of privacy in the data - support a finding of reasonable expectation of privacy. Combining these circumstances with the strong privacy interest in subscriber data as a result of its function as a key to unlocking biographical core information, it is difficult to conclude that warrantless access to subscriber data would not be considered a “search” under s.8 of the Charter.  Prior authorization is thus required.

The mere fact that key circumstances such as the subscriber agreement – or the information to which the subscriber data links, if this is treated as a circumstance – will vary by case, renders  a “one size fits all” approach to accessing subscriber data inappropriate (unless such approach requires prior authorization). Putting it differently, as long as there are some cases in which a reasonable expectation of privacy inheres in the subscriber data, a general approach that makes prior authorization unnecessary will violate s.8.

Section 1 Analysis

Legislation that violates s.8 may still be saved if it constitutes “a reasonable limit prescribed by law as can be demonstrably justified in a free and democratic society”. As noted above, the application of this test involves several steps.

Important Objective

The objective which the measures in question are designed to serve must relate to “concerns which are pressing and substantial in a free and democratic society” before it can be characterized as sufficiently important. 141 The more severe the deleterious effects of a measure, the more important the objective must be.

The objective of allowing warrantless access to subscriber data is to facilitate state investigation of crime involving telecommunications. Insofar as the effective investigation of crime is a pressing societal concern, the proposed law would seem to pass the first stage of the test under s.1. However, the Supreme Court has noted that “it is desirable to state the purpose of the limiting provision as precisely and specifically as possible so as to provide a clear framework for evaluating its importance, and the precision with which the means have been crafted to fulfil that objective. 142  The more narrow purpose of the proposal was explained by Public Safety Canada explained in a Backgrounder accompanying the introduction of Bill C-52 in November 2010:

“Basic subscriber information is often crucial in the early stages of an investigation. Without these identifiers, the police, CSIS and the Competition Bureau often reach a dead-end, as they are unable to get sufficient information to pursue an investigative lead or obtain a warrant...the practices of releasing this information vary across the country: some service providers release the information immediately upon request; others provide it at their convenience, often following considerable delays; others insist that authorities first obtain a warrant.  This lack of consistency and clarity can delay or block investigations.” 143

But aside from mere assertions about frustrated investigations, Public Safety Canada has failed to demonstrate a pressing need for this new power. As long as they have reasonable grounds, police can obtain a production order to obtain subscriber information. It is not clear how the duty to obtain such an order could “block” an otherwise reasonable and justified investigation.

Moreover, police already have at their disposal powers to forgo prior authorization where exigent circumstances exist. 144 The proposed law is therefore needed not to deal with cases of urgency  or impracticality of obtaining a production order. Rather, it is designed simply to relieve the police of the burden of having to obtain a production order for this kind of data.  While this would no doubt facilitate police investigations, speeding up the investigatory process is surely not “a pressing and substantial concern”.


The proposal satisfies the first requirement of the proportionality test, that it be rationally connected to this objective: it is clearly designed to facilitate law enforcement agency investigations. However, it runs into serious problems with the next requirement of the proportionality test: minimal impairment.

Not only would law enforcement agents be empowered to force TSPs to hand over subscriber data without prior authorization, there would be no requirement for reasonable grounds to suspect, let alone believe, that an offence has been or will be committed and that the subscriber data sought will assist in the investigation of that crime. All that is required is that requests  be made in the performance of “a duty or function” of the law enforcement agency. 145 This approach is in stark contrast to current provisions for warrantless searches on the grounds of exigency: in such cases the conditions for obtaining a warrant must nevertheless exist. 146   If access to subscriber data is considered to be a “search” under s.8, the proposal will fail s.1 on this basis alone.

But there are numerous other ways in which the proposal fails the “minimal impairment” test:

  • in contrast to other search powers, it could be employed in the enforcement of foreign laws, even where the same laws do not exist in Canada;
  • there is no limit to the number of requests that can be made simultaneously or repeatedly;
  • the power is not limited to crimes let alone serious offences – it would be available for use in investigating the most minor infractions under the Criminal Code, Competition Act and CSIS Act, and the collection of information for intelligence purposes would presumably  be unlimited;
  • there is no provision for the recipient of a demand to challenge it (in contrast to the process for challenging production orders in the proposed s.487.0193  of the Criminal Code);
  • there is no provision for the subject to be informed of requests involving them (as is the case for interceptions);
  • indeed, requests may be made subject to “gag orders” via regulation, such that subjects can never be made aware of the search involving their information;
  • there is no requirement for annual public reporting on use of the power;
  • there is no requirement for external audits or reviews of LEAs’ use of the power; and
  • there is no provision for Parliamentary review of the legislation.


In the US, designated government officials can obtain similar subscriber data 148 by way of administrative subpoena without prior judicial authorization or a showing of “probable cause”. 149 However, US courts have imposed requirements regarding scope, necessity and authority to issue such subpoenas. Moreover, these subpoenas are available only for certain types of criminal investigations, notably health care fraud, child abuse, Secret Service protection, controlled substance cases, and Inspector General investigations. 150 In addition, the recipient of an administrative subpoena can challenge its validity in court on grounds that it was not issued in good faith or that its issuance or enforcement is otherwise unreasonable. 151

None of these requirements or limitations is present in the Canadian proposal to permit law enforcement access to subscriber data without prior authorization. Other than requiring that  the purpose of the request falls within the broad functions or duties of the agency, and limiting the number of agents that can make requests in the ordinary course of investigations, there are  no proposed limits regarding necessity of the request or regarding the types of investigations  for which such requests can be made. Nor are TSPs provided with any means to challenge individual requests.

Considering the numerous ways in which the proposal could be revised to be less privacy invasive while still providing law enforcement with readier access to this data, there can be  no question that the proposal fails the s.1 test for minimal impairment.

Proportionality of means and ends

The final aspect of the proportionality test involves determining whether the effects of the measure so severely impinge upon individual rights that the legislative objective, albeit important, is nevertheless outweighed by the abridgement of rights. It is not necessary to go through this balancing exercise if the measure has already failed the “important objective” or “minimal impairment” test. But assuming that the proposal to allow warrantless access to subscriber data somehow passes these tests, it will undoubtedly fail on the final proportionality test.

The potentially grave intrusions on individual privacy that this proposal would permit cannot be justified by the objective of expediency in police investigations.

As explained above, names and addresses are useful to police not for their intrinsic value but rather because they allow police to attach an identity to a potentially vast, highly private and potentially incriminating collection of  information about a person that has already been amassed and that can then continue to be amassed. Anonymous communications need to be protected in free and democratic societies. As noted by the Electronic Frontier Foundation,

Many people don't want the things they say online to be connected with their offline identities. They may be concerned about political or economic retribution, harassment, or even threats to their lives. Whistleblowers report news that companies and governments would prefer to suppress; human rights workers struggle against repressive governments; parents try to create a safe way for children to explore; victims of domestic violence attempt to rebuild their lives where abusers cannot follow. 152

The societal value of anonymous communications was recognized by the American Supreme Court in a much-cited 1995 ruling, when it stated that:

Allowing dissenters to shield their identities frees them to express critical, minority views ... Anonymity is a shield from the tyranny of the majority...  It thus exemplifies the purpose behind the Bill of Rights, and of the First Amendment in particular: to protect unpopular individuals from retaliation ...  at the hand of an intolerant society. 153

Allowing police to pierce the anonymity of individual speech online, without any justification  or prior authorization, strikes at the heart of free speech and is antithetical to democracy.

The damage to anonymous free speech and privacy that it would cause is not outweighed by a desire to relieve police of the need to obtain a warrant for access to subscriber data.

Applying a general rule to certain types of personal data in which individuals have a wide variance of privacy interest is dangerous, for as long as anyone has a legitimately high private interest in that data, prior authorization will be required. Thus, the only acceptable general rule will be one that respects the highest possible privacy interest in that type of data.

In brief, once it is found that access to subscriber data constitutes a “search” under s.8 of the Charter, it is inconceivable that a law permitting warrantless access to subscriber data could be justified as a reasonable limit in a free and democratic society.

Preservation Orders and Demands

Preservation Orders: Preservation Demands:
• 90 days • 21 days
• Authorization required • No authorization required
• May be repeated • No repeats

In keeping with Articles 16 and 17 of the Council of Europe’s Cybercrime Convention (“Cybercrime Convention”), the federal government is proposing to add a new “preservation order” and “preservation demand” to the suite of new Lawful Access powers  in the Criminal Code.

Under the proposed preservation order, 154 any police or other law enforcement officer can apply to a judge or justice of the peace for an order to preserve computer data for up to 90 days.  The application must be made on oath, in writing, using a particular form. It must establish reasonable grounds to suspect that an offence under Canadian or foreign law has been or will be committed and that the computer data requested will assist in the investigation of the offence.  If the offence is under foreign law, the judge or justice must be satisfied that authorities in the foreign state are conducting an investigation of the offence. Finally, the officer must have applied, or intend to apply, for a warrant or order to obtain the data in question.

The preservation order may include any conditions that the justice or judge considers appropriate, including a prohibition on disclosure of the existence of the order for a certain time period if the justice or judge is satisfied that there are reasonable grounds to believe that disclosure during that period would jeopardize the conduct of the investigation. 155

The preservation order would expire after 90 days if not revoked earlier. Upon revocation, expiration or production of the requested data, the person to whom the demand or order was made would be required to destroy the computer data that would not be retained in the ordinary course of business as well as any document prepared for the purpose of preserving the data. 156

In addition to preservation orders granted by a justice or judge, police officers (and other law enforcement officers) could make preservation demands without the need for prior judicial authorization. Such demands could be made only where the officer has reasonable grounds to suspect that an offence under Canadian or foreign law has been or will be committed and that  the computer data requested will assist in the investigation of the offence. 157 If foreign law,  the officer must have reasonable grounds to believe that the foreign state is investigating the offence. 158 Like preservation orders, these demands could include any conditions that the  officer considers appropriate, including a prohibition on disclosure of the existence or  contents of the demand. 159 Preservation demands, however, would expire after 21 days  and could not be repeated. 160

Charter Analysis

Do Preservation Demands/Orders constitute “searches” or “seizures”?

The first question in a Charter analysis of preservation orders and demands is whether s.8 would even apply, given that the police will never come into possession of the information as a result solely of these orders and demands.

As noted above, police cannot avoid the application of the Charter by doing indirectly what they cannot do directly. Where they employ private actors to obtain evidence, the Charter will extend to the acts of those parties in their roles as “agents of the state”. Applying the Broyles test of whether the exchange between the accused and the informer would have taken place but for the intervention of the state or its agents, it is clear that TSPs would be acting as agents of the state when they respond to preservation orders and demands (as opposed to when they provide such information to the police entirely on their own initiative). As the Supreme Court stated in R. v. Dersch, “[a] doctor who takes a blood sample illegally at the request of police is acting as an agent of government and his or her actions are subject to the Charter”. 161 The TSP’s retention  of information under a preservation order/demand is thus subject to the Charter.

Reasonable Expectation of Privacy

In contrast to other Lawful Access proposals, preservation demands and orders are not limited to certain types of data; instead they would apply to “computer data”, which is defined broadly as “representations, including signs, signals or symbols that are in a form suitable for processing in a computer system.” 162 As some commentators have pointed out:

The consequences of [preservation orders] are staggering and form the basis  for our assertion that the [Council of Europe Cybercrime] convention fundamentally shifts the role of ISP from that of a conduit to a reservoir of information. For a period of up to three months, every piece of information a user inputs into the Internet, through email or Web use, could be preserved by the ISP for access by law enforcement. 163

There can be little dispute that individuals have a reasonable expectation of privacy in the data that could be subject to these orders and demands.

Circumstances of Seizures under Preservation Orders

The same analysis applies here as applies to the proposal for warrantless access to subscriber data. The data in question is indisputably private information in the possession of private entities that value it as such. It is not abandoned by the individuals to whom it relates. It is subject to unknown terms of confidentiality as between the subscriber and the TSP. Finally, it is not subject to any other statutory regimes that would negate a reasonable expectation of privacy in the data. However, there is a critical difference: police do not actually obtain the data under preservation orders and demands. Instead, the TSP must simply preserve it, for a limited time, so as to ensure that the police are able to access the data should they obtain authority to do so within the period of the order or demand.

It is possible that this distinguishing feature of preservation orders and demands is found to substantiate a finding that they do not constitute “searches” or “seizures” under s.8, in which case the analysis ends here.

If, on the other hand, preservation order and demands are found to constitute “seizures” under s.8 of the Charter, the analysis shifts to s.1.  Preservation demands become presumptively unconstitutional because they do not require prior authorization and because their use is not limited to exigent circumstances. As noted by one commentator:

Without any judicial oversight, the public must hope that the officers issuing preservation demands are able to evaluate objectively the reasonableness of their own grounds to believe that the communications they seek to preserve will afford evidence of an offence. 164

Preservation orders, on the other hand, do require prior authorization. But such authorization is to be provided on the relatively low standard of “suspicion” (vs. “belief”) that the information  in question “will assist in the investigation of the offence” (vs. “afford evidence respecting commission of the offence”). As noted above, the courts have accepted this lower standard in certain circumstances even without statutory authority. Where authorized by statute, the test becomes whether the lower standard can be reasonably and demonstrably justified in a free  and democratic society. 165

Section 1 Analysis

Important Objective

The purpose of preservation orders and demands is to ensure that information potentially relevant to a criminal investigation is not lost or destroyed during a period in which police are gathering the evidence necessary to justify a production order. Given that cybercrime is a serious global problem as recognized by the Council of Europe Convention, together with the variation in TSP practices with respect to data retention, this objective is likely to pass the first part of the s.1 test.


The measures are carefully designed to achieve their objective. However, there is reason to question whether they do so in a minimally intrusive manner. The only safeguards against police abuse of these new powers would be:

  • in the case of preservation orders, prior authorization on a suspicion-based standard and a 90 day limit; and
  • in the case of preservation demands, reasonable grounds to suspect, a 21 day limit and no repeats.

As noted above, these new powers are not limited to traffic data or other non-content data.

Nor are they limited to serious offences. Indeed, they are not even limited to offences under Canadian law – further to the international Cybercrime Convention that Canada wishes to ratify, these powers could be used to assist foreign states in gathering evidence for the purpose of prosecutions under their laws. Yet there is no requirement for dual criminality (i.e., that the foreign offences under investigation also constitute offences under Canadian law). Nor is there any requirement that only those foreign states that have signed or ratified the Convention (which includes important safeguards in Articles 14 and 15) can take advantage of these powers.  Thus, it is conceivable, for example, that the communications of a Chinese human rights activist are subject to preservation under these provisions for ultimate use by the Chinese government to prosecute that individual for what would in Canada be considered commendable free speech.  The use of preservation orders for enforcement of foreign laws that are contrary to Canadian values would surely fail the proportionality test.

But there are other ways in which these new powers may be found to be unconstitutional.  For example, they may be found to impair individual rights more than necessary as a result  of the lack of a process for recipients to challenge a given order or demand. Although such  a process would exist for recipients of production orders, it is unavailable with respect to preservation orders and demands. This is presumably because mere preservation is seen to  be less intrusive than disclosure.

But the prospect of having to respond to an unlimited number of preservation demands and orders may drive TSPs to engage in routine retention of data that they would not otherwise have retained. If the cost of simply retaining communications data as a matter of course is less than the cost of responding to specific preservation orders and demands, business imperatives will result in ongoing data retention, a much more intrusive and questionable practice than request-specific data preservation – and one which would no doubt cause public uproar if proposed in Canada.

Such data retention will be limited only by PIPEDA, which requires simply that personal information be retained only as long as necessary for the fulfilment of the purposes for which  it was collected, except with the consent of the individual or as required by law. 166 TSPs will likely comply with the consent requirement by simply including in their terms of service a clause purporting to obtain subscriber consent to such data retention.

In other words, business realities may turn what were intended to be narrowly targeted,  time-limited “do not destroy” orders into the very kind of broad-based data retention that they were meant to avoid. 167 Canada will have effectively instituted an informal data retention regime similar to that in Europe (and under consideration in the US and Australia), but without any clear limits on the type of data to be retained or the period of time over which it is to be retained.  Data retention laws are highly controversial because of the way they treat everyone as a suspect and make everyone’s data vulnerable to unauthorized access and use.

Finally, the low evidentiary standard (“suspect”; “will assist”) applicable to both powers must  e assessed in light of the privacy interests affected. As noted above, any kind of “computer data” may be subject to these powers; there is no attempt to distinguish between content and “traffic data”. While this may make sense in terms of the objective and the needs of law enforcement,  it puts into question the appropriateness of the lower evidentiary standard.

Consistent with the Cybercrime Convention, the government appears to be creating a regime  of evidentiary standards that varies according to the type of data in question. The rationale underlying this approach is that individuals have a greater privacy interest in the content of their communications than in the non-content, transmission data accompanying it. A similar regime is found in the US. 168 Under the Criminal Code, the lower suspicion-based standard currently applies only with respect to non-content data (production orders for financial account data, and tracking/transmission data recorder warrants). Consistent with the existing provisions, it is now being proposed for new production orders for tracking and transmission data. In all these cases, the lower standard would apply only to non-content data. But in the case of preservation orders and demands, it would apply to content data as well.

The application of a lower standard to content data under preservation orders and demands is mitigated admittedly by the fact that police must obtain a production order under the higher standard in order to access any content data preserved as a result. This is likely to be seen as sufficient justification for a lower evidentiary standard.

In summary, preservation orders and demands are likely to run into constitutional problems  with respect to the absence of safeguards regarding foreign investigations. In order to ensure Charter compliance, the government should add a requirement of dual criminality for the exercise of these powers in the enforcement of foreign laws. As well, there is a real danger  that these seemingly narrow, targeted data preservation tools have the effect of creating  a de facto regime of ongoing data retention by TSPs in Canada, contrary to the expressed intention of the Canadian government.

New Production Orders for Transmission/Tracking Data

In keeping with the Cybercrime Convention’s distinction between content and traffic data, the Lawful Access proposals include some new production orders for non-content data, as well as revisions to existing warrants for real-time access to the same kind of data.

In each case (with one exception), the standard for disclosure or surveillance is “reasonable grounds to suspect that an offence has been will be committed” and that the information obtained “will assist in the investigation of the offence”.

One new production order would require disclosure of “tracking data”, which is defined as “data that relates to the location of a transaction, individual or thing”. 169 This would include location information derived from ATM machines, GPS devices in automobiles, and GPS-enabled cell phones, among other things.

Another new production order would be available for “transmission data”, defined as:

data that (a) relates to the telecommunication functions of dialling, routing, addressing or signalling; (b) is transmitted to identify, activate or configure a device, including a computer program as defined in subsection 342.1(2), in order to establish or maintain access to a telecommunication service for the purpose of enabling a communication, or is generated during the creation, transmission or reception of a communication and identifies or purports to identify the type, direction, date, time, duration, size, origin, destination or termination of the communication; and (c) does not reveal the substance, meaning or purpose of the communication. 170

A third production order would be available for tracing a communication back to the initial service provider. This order would allow police to obtain disclosure of transmission data  “related to the purpose of identifying a device or person involved in the transmission of a communication” on an expedited basis. 171 It would not require naming the TSP from whom  the data is sought – instead, it would be a sort of “To Whom It May Concern” production order that would be good for 60 days. According to Public Safety Canada, this new tool is designed  to help LEAs determine the origin of a particular transmission on an expedited basis, and will  be useful in both domestic and international investigations. 172

In all three cases, applications must be made in writing on oath, and the justice or judge granting the order must be satisfied that there are reasonable grounds to suspect criminal activity and that the data to be produced will assist in the investigation of the offence. This standard is lower than that applicable to general production orders and search warrants in two respects: (1) the requirement for mere suspicion as opposed to belief, and (2) the need to prove only that the  data gathered “will assist in the investigation of the offence”, not that it “will afford evidence respecting the commission of the offence”. 173 This lower standard is not without precedent:  it applies currently to production orders for financial or commercial information (s.487.013).

As with preservation orders, production orders may contain conditions, including gag orders.  However, unlike preservation orders, they are available only with respect to the investigation  of domestic (as opposed to foreign) offences.

Tracking/Transmission Data Warrants

Sections 492.1 and 492.2 of the Criminal Code already provide for warrants to obtain real-time information about the location of suspects and about incoming and outgoing telephone numbers, respectively. The new law would amend these provisions in a number of significant ways.  In both cases, it would expand the scope of each warrant to permit remote activation and use of the devices in question, remove the requirement for the officer’s oath to be in writing, and extend the maximum period of validity of the warrant in investigations of organized crime or terrorism from the normal 60 days to one year.

With respect to s.492.1 (tracking warrants), the standard for obtaining a warrant to track the location of transactions or things would be reworded from suspicion that “information  relevant to the commission of the offence...can be obtained through use of the tracking device”  to suspicion that use of the device “will assist in the investigation of the offence”. 174 This provision would apply, for example, to GPS devices installed in automobiles. A new, separate warrant for tracking devices in things usually carried or worn by individuals would be created with a higher evidentiary standard of belief (vs. suspicion) that the tracking information will assist in the investigation. 175 This would presumably apply to real-time tracking via GPS devices in mobile phones.

With respect to s.492.2 (transmission data warrants), the low suspect/will assist evidentiary standard would remain in place, while the scope of the warrant would expand from recording incoming and outgoing telephone numbers to recording the type, direction, date, time, duration, size, origin, destination and/or termination of any communications (the same definition  of “transmission data” would apply here as to production orders). 176

Charter Analysis

The question of whether or not individuals have a reasonable expectation of privacy in their tracking and transmission data, whether generated by recording devices surreptitiously installed by the police or by records ordinarily generated by their service providers, is not at issue since police will continue to be required to obtain prior authorization in order to obtain this data.  However, the evidentiary standard under which such warrants and production orders are granted is very much at issue.

As noted above, the Supreme Court has opened the door to a lower, suspicion-based  evidentiary standard in appropriate cases, where the privacy interest at stake is reduced.  Indeed, the constitutionality of the lower suspect/will assist standard for telephone number recorder warrants in s.492.2 has been upheld by one appeal court: in R. v. Cody, the Quebec Court of Appeal found that the data generated by a digital number recorder (telephone number and duration that the telephone was off the hook), is not sufficiently private to require the highest evidentiary standard under s.8. 177

However, the proposed law reforms would significantly expand the scope of information subject to the transmission data warrant, and technological advances have already significantly expanded the scope of location-related information that can be recorded by way of tracking devices. These changes heighten the privacy interest at stake and should therefore affect the judicial analysis.

Transmission Data

“Transmission data”, for the purposes of both the new production order and revised warrant,  is defined as:

data that (a) relates to the telecommunication functions of dialling, routing, addressing or signalling; (b) is transmitted to identify, activate or configure  a device, including a computer program as defined in subsection 342.1(2), in order to establish or maintain access to a telecommunication service for the purpose of enabling a communication, or is generated during the creation, transmission or reception of a communication and identifies or purports to identify the type, direction, date, time, duration, size, origin, destination or termination of the communication; and (c) does not reveal the substance, meaning or purpose of the communication. 178

While this data may not reveal the substance, meaning or purpose of a communication,  it is a significantly broader category of information than that which can be obtained through warrants for telephone number recorders under the existing s.492.2. Telephone number  recorders operate as follows:

A digital number recorder (DNR) is activated when the subscriber's telephone is taken "off the hook". Electronic impulses emitted from the monitored telephone are recorded on a computer printout tape which discloses the telephone number dialled when an outgoing call is placed. The DNR does not record whether the receiving telephone was answered nor the fact or substance of the conversation, if any, which then ensues. When an incoming call is made to the monitored telephone, the DNR records only that the monitored telephone is "off the hook" when answered and the length of time during which the monitored telephone is in that position. 179

In contrast, “transmission data recorders” will gather essentially all of the information about  a communication other than the contents: type, direction, date, time, duration, size, origin, destination and termination. Moreover, through the use of sophisticated computer programs,  this information can be quickly and easily compiled and analysed over time. From such information, much can be gleaned about a person’s private life: who they communicate with, when and for how long each communication occurred, and whether a given electronic communication included large photographic or video files, for instance. This information can be highly revealing of a person’s habits and lifestyle.

Transmission data is especially useful in making links between individuals and enabling social network analysis. 180 With transmission data, authorities can derive information about social networks – even about the relative influence of each member in the network. Indeed, they can sometimes identify a social network before the individuals themselves have appreciated its existence. 181 According to one researcher, ThorpeGlen, a British firm, sells systems that:

analyze vast amounts of communications data in order to discover people worth investigating. Well-connected people with many links to others are not of interest. It is the isolated groups, the pairs and small groups who only connect to a few others, that draw suspicion. 182

As well, certain devices leak data in ways that can enhance transmission data. When mobile phones are used to visit websites, for example, significant data can be accidentally made available to authorities. According to an expert mobile phone hacker, phone numbers, SIM  card numbers, unique phone IDs, and the access point that is used are sometimes included with traffic data provided to US authorities. 183 There are no algorithms in existence now that ‘scrub’ such information from the server logs that could be turned over to police, arming authorities  with more information about users than they might have expected from the warrant or  production order.

Moreover, the proposed revisions to s.492.2 (warrant for transmission data recorder) would recognize the increased functionality of computer-based recording devices by expanding the scope of the activities covered by the warrant beyond mere installation, monitoring and removal of devices to remote activation and use of the devices. 184 In other words, police powers to monitor the communications activity of suspects would be enhanced not only by obtaining  more data about those communications, but also by having much greater control over the  devices themselves.

There is thus a strong argument that the expanded scope of transmission data warrants attracts a level of privacy interest sufficient to justify a higher evidentiary standard than may have been acceptable for telephone number recorders.

A similar argument can be made regarding the appropriate evidentiary standard for the proposed new production orders for transmission data, especially if preservation orders can be used to ensure that transmission data is preserved by the TSP for an indeterminate amount of time.  Indeed, by combining the use of preservation and production orders for transmission data, LEAs can gather the same information that they would have gathered via a transmission data warrant, the only difference being that the TSP does their surveillance for them. Either way, the data in question is potentially far more revealing than under the existing regime and thus deserves stronger protection.

Tracking Data

“Tracking data”, for the purposes of the new production order and revised warrants, is defined as “data that relates to the location of a transaction, individual or thing”, 185 and “tracking device”, for the purposes of the warrant, is defined as “a device, including a computer program within the meaning of subsection 342.1(2), that may be used to obtain or record tracking data or to transmit it by a means of telecommunication”. 186

While these definitions do not appreciably expand the scope of the existing warrant, they apply in a context of dramatic technological improvement in location tracking devices. As pointed out by the Electronic Frontier Foundation (“EFF”) and American Civil Liberties Union in their 2009 joint Amicus Brief to the United States Court of Appeals (D.C. Circuit) in the case of USA. v. Maynard and Jones, 187 GPS tracking devices now provide a complete technological replacement for physical human surveillance: they enable 24 hours a day “dragnet” surveillance at minimal cost, they enable police to track people in private as well as public places, and they enable simultaneous surveillance of unlimited numbers of people (GPS technology can support an unlimited number of receivers). Geo-locational data from mobile communications devices is relayed by virtue of the device being turned on; disabling ‘location services’ does not prevent this information from being transmitted.  Moreover, like other technologies, location tracking devices are getting smaller and smaller, while at the same time more powerful, making them easier to use and less prone to discovery by the subject.

Combined with the growing networks of ATMs, cell phone towers, electronic toll roads, and other electronic means by which location data can be gathered, the type of information  gathered through tracking warrants can reveal far more information than used to be the case. Through deduction and inference, it can disclose a plethora of intimate information about a person’s life – travel to political meetings, places of worship, news media outlets, homes of friends and family.  It can also be overlaid upon demographic, psychographic, and consumer  data to develop nuanced profiles that rely on Geographic Information Systems. 188 Such data  can further integrate time as a variable to identify likely profiles in geographic areas  throughout the day and year. 189

This is surely information in which individuals have a strong and reasonable expectation of privacy. As the US Court of Appeals for the District of Columbia Circuit stated in a recent ruling that surreptitious surveillance via GPS devices installed in vehicles requires a warrant based on probable cause, "[w]hen it comes to privacy ... the whole may be more revealing than the parts". 190 The Court went on to explain:

It is one thing for a passerby to observe or even to follow someone during  a single journey as he goes to the market or returns home from work.  It is another thing entirely for that stranger to pick up the scent again the next day and the day after that, week in and week out, dogging his prey until he has identified all the places, people, amusements, and chores that make up that person's hitherto private routine. 191

The US Court of Appeals for the District of Columbia found likewise in USA v. Maynard, noting that the sheer quantity of information creates a picture so complete that privacy is at issue, even if each movement is in the public domain:

A person who knows all of another’s travels can deduce whether he is a weekly churchgoer, a heavy drinker, a regular at the gym, an unfaithful husband, an outpatient receiving medical treatment, an associate of particular individuals or political groups – and not just one such fact about a person, but all such facts. 192

Both cases are currently under appeal.

The information available to police through production orders for tracking data is comparable to that available through direct police surveillance via tracking devices. Yet there would be no requirement for such production orders to be individualized, nor would there be any need for reasonable grounds to suspect that the information gathered will do anything more than “assist in the investigation of the offence”. Thus, police will be authorized to make bulk demands for information regarding an offence, such as all records from cell phone towers in the vicinity and around the time of the incident. As Justice Quigley of the Ontario Supreme Court noted when finding that “the sheer scope and unbridled breadth of the Tower Dump warrants [obtained under s.487] demands, in my judgment, that the evidence derived from the execution of those warrants be excluded at trial under subs. 24(2) of the Charter”, 193

... it is evident that the overwhelming and pervasive use of cell phones in Canada by an enormous percentage of the population, the advancement of cellular phone technology, and the breadth of information that may be obtained about cell phones and the people who use them, may permit such information to reveal personal and biographical matters about the users. Technological tools such as the ability to isolate and determine the cell phone traffic that passed through any particular cellular transmission tower, or simply the production of billings records with the increased information they may now capture and display, has the potential to reveal information that individuals might have expected would remain private and confidential. 194

By continuing to apply a lower evidentiary standard to this information, the government  is signalling that, while this information attracts a reasonable expectation of privacy,  such expectation is not sufficiently great as to justify the normal, belief-based standard.  This is disputable given the breadth and quality of information now accessible through computer-based tracking devices.

Section 1 Analysis

Assuming that the lower suspicion-based standard is found to be inappropriate for production orders for tracking and/or transmission data, or for warrants for tracking devices and/or transmission data recorders, the court will have to engage in a section 1 analysis.

The objective of the lower standards is to allow police to access more personal information with less evidence to justify their suspicions. By replacing belief with suspicion, the test allows police to proceed on the basis of less evidence – more than a hunch, but less than belief. And by requiring that the information gathered will merely “assist in the investigation of the offence”, rather than that it will “afford evidence respecting commission of the offence”, the lower standard opens up a trove of information to police that would otherwise be inaccessible.

The significance of these differences should not be overlooked: they will result in far more personal information being made available to law enforcement and intelligence agencies in the course of their investigations, with a correspondingly greater intrusion on individual privacy.  Indeed, it can be expected that police will use these lower standards to engage in fishing expeditions under the guise of suspicion and assistance in the investigation of offences – for that is precisely what the higher standard is meant to prevent.

In order to defend the constitutionality of its application of lower evidentiary standards to these new and existing powers, the government will need to demonstrate that the lower standard is needed in order for LEAs to be able to do their jobs effectively. Such justification has yet to be provided. All that we have been told is that these provisions are needed for police to be able to fight high-tech crime – specifically “to identify all the network nodes and jurisdictions involved in the transmission of data and trace the communications back to a suspect” – and that they will “allow law enforcement officers to trace serious computer crimes such as child pornography and hate crime.” 195 Yet the proposed production orders and revised warrants are in no way limited to high-tech crimes or to serious computer crimes.

Nor do they include safeguards such as reporting requirements or notice to individual subjects after the fact. While the government is proposing to expand both annual reporting requirements under s.195 and notice requirements under s.196 to cover interceptions without warrant as well as those with, it has not seen fit to require such reporting or notification in the case of s.492.1  and s.492.2 warrants. Yet, such ex post facto accountability measures are all the more important when the ex ante protections are lowered.  At a minimum, the lower evidentiary standards in these proposals should be accompanied by higher standards of accountability and oversight.

While the proposals for a lower evidentiary standard are rationally connected to the important societal goal of crime prevention, they are likely to fail the proportionality test unless the government can show that the benefits in terms of improved law enforcement will outweigh the costs in terms of individual privacy. There is no question that these changes will result in more state surveillance of individuals, innocent and guilty. They will also heighten the risk of police engaging in “fishing expeditions”. Whether or not the societal value of purportedly improved law enforcement is worth these costs to individual privacy is a question the Supreme Court of Canada will have to confront, eventually.

Exemption for voluntary disclosure/preservation

An often overlooked aspect of the “Lawful Access” proposals involves s.497.014 of the  Criminal Code (s.487.0195 under the proposed law reforms).  The revised clause states:

For greater certainty, no preservation demand, preservation order or production order is necessary for a peace officer or public officer to ask a person to voluntarily preserve data that the person is not prohibited by law from preserving or to voluntarily provide a document to the officer that the person is not prohibited by law from disclosing. 196

In other words, it simply confirms that voluntary preservation and/or disclosure of information by third parties, where not prohibited by law, does not require an order or statutory demand.  The proposed revisions would merely expand the scope of the existing clause to cover preservation orders/demands as well as production orders. Such changes are not an issue.

However, the clause – even as it currently exists – raises serious constitutional concerns.  It purports to negate the requirement for police to obtain prior authorization where their actions invade reasonable expectations of privacy and thus constitute “searches” under the Charter.  It ignores the fact that the Charter applies to voluntary third party searches where the third party acts as an agent of the state by preserving or providing the requested information. It is thus  over-broad and offends the constitution by failing to restrict its application to information  in which individuals do not have a reasonable expectation of privacy. The Supreme Court considered this provision in R. v. Gomboc in the context of a public regulation permitting electricity suppliers to disclose customer information to police as long as such disclosure is not contrary to the express request of the customer. 197 The Court found that the combined effect  of s.487.014 and the regulation (together with the customer’s failure to request confidentiality) established that there was “no statutory barrier” to the supplier’s “voluntary cooperation with  the police”. 198 The constitutional issue (reasonable expectation of privacy) was determined on the basis of the regulation and other factors, without reference to s.487.014.

Two lower court cases have taken opposite approaches to the significance of s.487.014  in the context of constitutional challenges to the voluntary collection by police of subscriber  data from ISPs.  In R. v. Cuttell, Pringle J. of the Ontario Court of Justice found that  “neither the involvement of a third party nor s.487.014(1) of the Criminal Code can shield the police from Charter scrutiny if … [as here] … the ISP acts as an agent of the state in  a criminal investigation”. 199

A year later, Meiklem J. of the B.C. Supreme Court disagreed that ISPs are acting as agents of the state when responding to police requests for subscriber data, and found that “absent a finding of state agency, s. 487.014(1) provides the police with lawful authority to make a PIPEDA request for subscriber information, which an ISP is not prohibited by law from disclosing…”. 200 Meiklem J. seemed oblivious to the circularity of his reasoning: PIPEDA allows ISPs to disclose subscriber information to the police only if the police have identified their “lawful authority  to obtain the information”. 201 Needless to say, a Criminal Code provision permitting  voluntary collection by police of information as long as the third party is not prohibited from disclosing the information cannot also serve as statutory authority for allowing third parties  to make such disclosures.

To the extent that s.487.014 purports to override the constitutional requirement for prior authorization where police actions invade an individual’s reasonable expectation of privacy  (by engaging third parties as agents to deliver information), it cannot be given effect. For the same reason that it offends s.8 of the Charter, s.487.014 is unlikely to be found to constitute  “a reasonable limit can be demonstrably justified in a free and democratic society”.  If challenged under s.52(1) of the Charter, s.487.014 is therefore likely to be “read down”  so as to apply only to situations in which the individual has no reasonable expectation  of privacy in the information.


Closely related to s.487.014 and the proposal to mandate disclosure of subscriber data upon request is PIPEDA. Under PIPEDA, TSPs are permitted to disclose personal information  (which includes name, address, and any other information about an identifiable individual) without the knowledge or consent of the individual only in certain specified circumstances.  One of those circumstances is if the disclosure is “made to a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that... (ii) the disclosure is requested for the purpose of...carrying out an investigation relating to the enforcement of any such law [of Canada, a province or a foreign jurisdiction]...” 202  (emphasis added).

The meaning of “lawful authority”

In the absence of clear statutory authority for police to obtain subscriber information

(and other personal information) without a warrant, the term “lawful authority” has been fraught with conflicting interpretations, with some TSPs taking the position that it means a warrant or court order, and with courts struggling to determine its scope. As a result, the government has proposed to amend PIPEDA to include the following clarification:

s.7(3.1)  For greater certainty, for the purpose of paragraph (3)(c.1):

(a) lawful authority refers to lawful authority other than

(i) a subpoena or warrant issued, or an order made, by a court, person or body with jurisdiction to compel the production of information, or (ii) rules of court relating to the production of records; and

(b) the organization that discloses the personal information is not required to verify the validity of the lawful authority identified by the government institution or the part of a government institution. 203

While this amendment would certainly clarify that “lawful authority” does not mean a court order or warrant, it does nothing to specify what is required for “lawful authority” to exist.  The proposed amendment therefore does little to assist courts and leaves TSPs uncertain as  to when they can and cannot legally disclose customer information to the police.

One possible interpretation of “lawful authority” in the context of PIPEDA is that it simply means establishing one’s credentials as a legitimate law enforcement agent acting within the scope of one’s functions and duties. But this interpretation is unlikely as it is already implicit in the existing provision’s requirement that the request be made by a government agent for a law enforcement purpose. As noted by Justice of the Peace Conacher in his reasons for denying  a search warrant request:

… s. 7(3) stipulates that the information can be provided without consent only if the body seeking the information has "identified its lawful authority to obtain the information" and has indicated that the disclosure is requested (in this case) for law enforcement purposes. The Act does not set out that the existence of a criminal investigation is, in and of itself, “lawful authority” within the meaning of the Act nor, therefore, does a “Letter of Request for Account Information Pursuant to a Child Sexual Exploitation Investigation” establish such authority. Accordingly, there must still be some “legal authority” to obtain the information; in the view of this Court s. 7(3)(c.1)(ii) by itself does not establish what that “lawful authority” is. (emphasis in original) 204

Another interpretation is that “lawful authority” requires statutory authority, such as the proposed new law mandating warrantless access to subscriber data. But if by “lawful authority” the legislature meant only “statutory authority”, it could and would have used that term.  It must be presumed that the legislature meant more than statutory authority when it used the broader term “lawful authority”.

If “lawful authority” has any meaning (other than subpoena, warrant or court order), there must be circumstances involving law enforcement when it is not present. Such circumstances could include statutory authority, common law authority and, superceding both of these, constitutional authority. Indeed, the senior policy advisor and legal advisor to the government in the drafting of PIPEDA (Stephanie Perrin and Heather Black) explained in a text entitled “The Personal Information and Electronic Documents Act: An Annotated Guide”, published in 2001 shortly after the Act came into force, that:

[Section 7(3(c.1)(ii)] … is aimed at ‘pre-warrant’ activities in which private sector organizations cooperate with domestic law enforcement agencies who are collecting the information on a ‘casual’ or ‘routine’ basis and for which no warrant is required.  Only information that is of a relatively innocuous nature will be collected by these means, since the collection of information in which the individual has a reasonable expectation of privacy would require the Charter protection of a warrant. (emphasis added) [ 205. S. Perrin et al,  The Personal Information Protection and Electronic Documents Act:  An Annotated Guide  (Toronto : Irwin Law, 2001) at 75.]

Effectively refuting the now common practice of police to treat s.7(3)(c.1) of PIPEDA as authority for obtaining subscriber information from TSPs without a warrant, they note that “[w]hen … [s.7(3)(c.1)] … was introduced, the government stated that the amendment did  not give any new powers to law enforcement but that it merely reflects the status quo”. 205

Later, in answer to the question “If the local police wish to obtain information about a customer, what must happen?”, Perrin and Black confirm the intended meaning of “Lawful Authority”  in s.7(3)(c.1):

The organization can only comply with that request if the police can identify their lawful authority to get the information, which essentially means that it is information in which the individual does not have a reasonable expectation of privacy under section 8 of the Charter.  (emphasis added). 206

This interpretation is buttressed by subsection 5(3) of PIPEDA which states that “an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances”. In other words, none of the exceptions  in subs.7(3) permit collection, use or disclosure that would be considered inappropriate by reasonable persons. And surreptitious gathering by police of personal information in which  the individual has a reasonable expectation of privacy would surely be considered inappropriate by reasonable people.

In other words, when a police request for information is not Charter compliant by reason,  for example, of the lack of reasonable grounds to suspect that the information requested has anything to do with criminal wrongdoing, or because the information requested attracts a reasonable expectation of privacy, the TSP is not authorized under s.7(3)(c.1) to disclose the information. This statutory prohibition on the TSP’s right to disclose perfectly mirrors the police officer’s absence of constitutional authority to demand the information.

But whether a given request is Charter compliant is not always clear even to lawyers and judges.  It is patently unreasonable to expect TSPs to be able to conduct their own Charter analysis with respect to each request they receive from law enforcement. For this reason alone, s.7(3)(c.1) of PIPEDA needs to be amended. But the proposed amendment would not give TSPs the certainty they need, despite stating that the disclosing organization is not required to verify the validity of the lawful authority identified. It fails to state what “lawful authority” is – i.e., what it would look like to a TSP who is presented with a request. “Lawful authority” needs to be positively defined as something concrete that TSPs can easily assess without legal advice.

The simplest approach that would remove uncertainty for TSPs and ensure Charter compliance is to remove s.7(3)(c.1) entirely, thus prohibiting disclosures of customer information in response to requests from law enforcement without a subpoena, warrant or court order. This is the strongly favoured approach of those who value civil liberties.

Alternatively, the term “lawful authority” could be replaced by “statutory authority”.  The government could then enact legislation such as proposed in this package of reforms permitting or requiring organizations to disclose certain kinds of personal information to LEAs upon request without a subpoena, warrant or court order. TSPs and others would then have the certainty they need regarding the legality of warrantless requests, and issues of constitutionality would focus on the legislation itself.

Failure to distinguish between different types of personal information

PIPEDA applies broadly to all forms of “personal information” while importing notions  of “appropriateness”, “reasonableness” and flexibility so as to allow for differential treatment  of different types of information depending on the privacy interest at stake. 207 However, most of the exceptions to the general rule against disclosure without consent set out in s.7(3) do not distinguish among different types of data; they permit the disclosure of any personal information as long as the conditions in the exception are met. In particular, subs.7(3)(c.1) does not distinguish between content and other, non-content data – it allows organizations to disclose any and all personal information to LEAs upon request without warrant.

This “one size fits all” approach to voluntary disclosures permitted under PIPEDA is inappropriate insofar as it fails to recognize the generally very different privacy interests inherent in different types of data. Yet, as discussed above, such differences are the basis for application under the Criminal Code, common law and Charter of different standards for permitting law enforcement access to different kinds of personal information. US law applicable to private organizations also applies different disclosure rules depending on the type of data in question, with much more stringent limits applicable to e-mail messages and other communications content than to non-content records such as subscriber name and address and session logs. 208

Without detracting from the point that subscriber information and other non-content records can reveal a great deal about individuals and thus deserve to be protected by appropriate standards (for compelled as well as voluntary disclosure), the voluntary disclosure of personal information under s.7(3)(c.1) of PIPEDA in response to requests from LEAs, if maintained, should at least be limited to non-content information. Because they are responding to requests from law enforcement, private organizations are acting as agents of the state when providing this information. It has been clearly established that the Charter requires prior judicial authorization for the non-consensual interception of communications unless exigent circumstances exist, and this general rule logically extends to the surreptitious collection of data revealing the content of private communications. The exceptions set out in s.7(3) of PIPEDA that allow voluntary disclosure of personal information to police without the knowledge or consent of the individual should therefore be limited to non-content information in a manner consistent with the Charter.

VII. General Comments

If, despite the analysis above, the government’s proposed enhancements to Lawful Access powers are found to be constitutionally permissible, it does not follow that they are therefore appropriate or desirable. Similar powers have been in place in the US and UK for some years.  The experience in those countries with expanded state surveillance powers, briefly summarized below, is instructive. It strongly suggests that Canada should think twice before adopting measures that unnecessarily expand state surveillance at the cost of individual privacy and  social well-being.

Our knowledge of the effects of expanded state surveillance in the US and UK is attributable largely to regimes of oversight and accountability. Yet no similar oversight regime or accountability measures are being proposed along with the Canadian Lawful Access reform package.  Deficiencies in this regard are discussed below.

Finally, it is important to put the proposed measures in the context not only of increasingly powerful tools and technologies at the disposal of law enforcement, but also of a gradual legislative and jurisprudential creep backward toward pre-Charter powers of state surveillance.  These proposals are just one incremental move in a broader, more general tendency of Canadian governments to expand powers of state surveillance and of the Supreme Court of Canada to accept such expansion as justified in a free and democratic society.

Canada is not the only country to consider expanding police surveillance powers and capabilities in order to address the challenges of cybercrime. As noted above, the Council of Europe’s Convention on Cybercrime, binding on those states that have ratified it, calls for signatory states to adopt legislative measures aimed at the protection of society against cybercrime and to cooperate internationally in such law enforcement. 209 What the Convention calls for include production orders and preservation orders, as well as measures to ensure that authorities can engage in the real-time collection of traffic data and the interception of communications.  Most European states have ratified the Convention as has the US as a non-member state. Canada has signed but not yet ratified – the “Lawful Access” proposals under consideration now are designed, in part, to allow Canada to ratify this international treaty.

The US, UK and Australia have already mandated intercept capability by telecommunications service providers operating in their territories, 210 have production orders and provided for various ways in which authorities can obtain subscriber (and other) data without prior judicial authorization or reasonable grounds. 211 The US and UK have already provided for production orders, preservation orders and warrants for traffic data in keeping with the Cybercrime Convention and in June 2011 the Australian government proposed legislation to facilitate Australia's accession to the Cybercrime Convention. 212 The availability of these new Lawful Access powers, together with the new tools that technology offers even without new powers, have led to a marked increase in state surveillance in those countries.

United States of America

As noted above, LEAs everywhere are experiencing unprecedented new surveillance capabilities as a result of new technologies. According to the US-based Centre for Democracy and Technology, …taken as a whole, the digital revolution has made more information available to the FBI than ever before and government surveillance goes up almost every year.  In 2009, the most recent year for which statistics are available, federal and state law enforcement placed a record 2,376 wiretaps. On average, 3,763 communications were intercepted in each of these wiretaps.  Far from  "Going Dark" as a result of advances in technology, the FBI and other law enforcement agencies are experiencing a boon in electronic surveillance. 213

In addition to individually authorized interceptions, TSPs in the US have reported receiving large numbers of warrantless requests for data on a regular basis, even beyond those requests made for purposes of national security. 214 According to Christopher Soghoian, a Washington, DC-based Graduate Fellow at the Center for Applied Cybersecurity Research, a company executive disclosed at a conference in 2009 that:

Sprint Nextel [had] provided law enforcement agencies with its customers' (GPS) location information over 8 million times between September 2008 and October 2009. This massive disclosure of sensitive customer information was made possible due to the roll-out by Sprint of a new, special web portal for law enforcement officers. 215

Facebook disclosed in 2009 that it was receiving between 10-20 requests each day from law enforcement looking for data 216 and AOL noted in 2006 that it received roughly 1,000 requests per month for data. 217 Google has disclosed that between January 2010 and July 2010, it received 4,287 data requests from law enforcement with only 128 being requests to remove content. 218

Soghoian’s research has also revealed that warrantless “emergency” requests by LEAs within the Department of Justice, to ISPs, for the content of internet communications have increased dramatically in recent years. 219 As Soghoian notes, these requests are just a small aspect of government surveillance; they do not include requests made by state and local LEAs, those made by the Secret Service or other federal LEAs outside the Department of Justice, or those requesting non-content information, such as geo-location data, subscriber information (such as name and address), or IP addresses used.

Caselaw from the US provides evidence that police there are routinely tracking suspects via GPS devices installed on vehicles and via cell phone location data, without warrants. 220 That issue is now before the US Supreme Court. 221 Also at issue is the government’s right to obtain cell phone location data without warrant: several bills have been put before Congress to require warrants for such surveillance. 222 The D.C. Circuit Court of Appeals recently ordered the government to disclose information from criminal prosecutions in which law enforcement agents obtained  cell-site location without a warrant. 223

In 2009, it was revealed that the US National Security Agency had routinely examined large volumes of Americans’ e-mail messages without court warrants, despite the requirement for such surveillance to be limited to foreign intelligence. The NSA’s spying on innocent citizens was so pervasive that even former President Bill Clinton’s personal emails were captured. 224 In 2010, it was discovered that the FBI had, contrary to policy, issued exigent letters to collect call data and transactional information about reporters and researchers working with the New York Times and Washington Post. 225 The FBI monitored other reporters on grounds that the reporters may have received leaked information about confidential government activities. 226 Even lawyers have been subject to overzealous government surveillance authorized by post-9/11 surveillance laws, having their phone calls monitored, offices secretly searched, and homes searched. 227

As the result of a 2009 Freedom of Information Act request, the Washington D.C.-based Electronic Privacy Information Centre (EPIC) forced disclosure of documents detailing unlawful uses of National Security Letters 228 by law enforcement agents. EPIC found that “FBI agents routinely sought documents they had no authority to procure, extended intelligence gathering activities well beyond the expiration of the agency's time-bounded authority to collect information, and failed to comply with legal protections.” 229

A recent report of the Oversight and Review Division of the Office of the Inspector General

(OIG) reviewed the FBI’s use of “exigent letters” and other informal surveillance powers  (other than National Security Letters which were the subject of a previous report calling for corrective measures) from 2003 to 2007. The OIG found that the Bureau had not kept adequate records, had misled the courts, and had violated the Electronic Communications Privacy Act over the course of exercising these powers. 230 The report notes that the FBI corrected errors in their processes only after the OIG found repeated misuse by the Bureau of its statutory authority to obtain telephone records. It describes, for example, a practice known as ‘sneak peeks’, under which telecom company employees would respond to warrantless FBI requests by searching their databases and describing what they found to the FBI agent. Sometimes, FBI agents were even allowed to view records on the telephone company’s computer screen. If the requested information was found, the FBI agents would then follow normal legal process to obtain it. 231

The report also concludes that the FBI indiscriminately requested “community of interest” or “calling circle” analyses of telephone numbers, likely resulting in the collection of thousands of telephone numbers that were not in fact relevant to the international terrorism investigation for which they were ostensibly collected. 232

In a more recent report released in January 2011, the EFF concluded that “the actual number of possible violations that may have occurred in the nine years since 9/11 could approach 40,000 violations of law, Executive Order, or other regulations governing intelligence investigations.” 233  EFF notes that from 2001 to 2008, the FBI itself investigated, at minimum, 7000 potential violations of laws, Executive Orders, or other regulations governing intelligence investigations.  During the same period, the FBI reported to the Intelligence Oversight Board approximately 800 violations of laws, Executive Orders, or other regulations governing intelligence investigations. 234

Post 9/11 “surveillance dragnets” in the US have also taken full advantage of information now publicly available via new technologies. The now infamous “Total Information Awareness” program was designed to gather and analyze information about individuals from all possible sources, using computer algorithms to identify patterns of behaviour, with a view to identifying terrorist suspects. 235 ‘Fusion centers’ 236 now regularly combine sensitive government data with publicly assessable data sets to derive inferences and actionable intelligence. 237 The Department of Homeland Security is known to have collected data from social networking sites in developing threat assessments for President Obama’s inauguration. 238

Such aggressive state surveillance has affected the perceptions of minority communities in the United States. 239  In one documented case of bureaucratic error, the leaders of an Islamic Charity were targeted by federal surveillance without warrant. 240 As noted by an FBI agent in 2009, "surveillance has prompted some Muslims to avoid mosques and cut charitable contributions out of fear of being questioned" or called "extremists"”. 241 Needless to say, this kind of surveillance creates a climate of fear and intimidation that has a chilling effect on free speech.

United Kingdom

Electronic surveillance powers in the UK are set out in the Regulation of Investigatory Powers Act (“RIPA”), 242 passed in 2000, as well as the post 9/11 Anti-Terrorism, Crime and Security Act 2001(“ATCSA”). 243 Like the mandatory intercept capability proposed in Canada, RIPA requires TSPs to be capable of facilitating interception of communications and automated collection of data by LEAs.  It also sets out rules under which public bodies (extending beyond LEAs to local councils) may conduct surveillance and access a person's electronic communications. Aimed at protecting the UK from terrorist attacks, the ATCSA expanded police powers in various ways, including by authorizing the disclosure of confidential information by public authorities to the police.  It also established a voluntary regime of data retention by telecommunications service providers, later made mandatory further to the EU Data Retention Directive. 244

As in the US, there has been much public opposition in the UK to the expansion of state surveillance powers in recent years, with Britain being characterized by some experts as a “surveillance society”. 245 In January 2011, the Home Secretary released her findings and recommendations from an internal review of counter-terrorism and security powers, finding  that “in some areas our counter-terrorism and security powers are neither proportionate nor necessary”. 246   Noting that “communications data” (subscriber ID/address and traffic data)  may be acquired by various public authorities under many legislative regimes, including the Social Security Fraud Act and the Financial Services and Markets Act, she recommended that law enforcement access to such data should be confined to that permitted under RIPA, which contains various safeguards including an oversight regime and a complaints mechanism. 247

The Home Secretary’s report follows several years of improper use of interception powers documented by the UK Interception Commissioner, including a 45% increase in monitoring  from 2006 to 2008. 248  In one case reported by the media, former police officers were found  to be illegally operating a sophisticated criminal surveillance business. 249

In July 2011, the UK-based organization Big Brother Watch released a report entitled Police Databases: How Over 900 Staff Abused their Access. The report found that between 2007  and 2010, 243 police officers and staff received criminal convictions for breaching the UK Data Protection Act (DPA), 98 police officers and staff had their employment terminated for breaching the DPA, and 904 police officers and staff were subjected to internal disciplinary procedures for breaching the DPA. 250

Earlier, in May 2010, Big Brother Watch released a report finding that over a two year period in 2008-2010, 372 local councils in England, Scotland and Wales had authorised 8,575 Directed Surveillance and Covert Human Intelligence Source authorisations under the RIPA. 251 BBW’s research also found that innocent people had been placed under surveillance for minor infractions ranging from littering and dog fouling to smoking in a public place. One family was subject to 21 separate acts of surveillance over a 3 week period for the purpose of ascertaining the family’s eligibility to send their children to a local school.  Such abuses have led to proposals that local councils be divested of such powers, or at least that local council surveillance be authorized in advance by a magistrate. 252

While there is no current proposal in Canada to give local or municipal authorities similar powers of surveillance, the staggering number of examples of documented abuses by law enforcement in the UK and the tendency to expand the uses of electronic surveillance beyond their original purposes (“function creep”) in that country provide an important lesson in the dangers of expanding surveillance powers.

Summary of experience in the US and UK with Lawful Access powers

Canadians do not have to look far to find examples of how the kinds of new Lawful Access powers being proposed will be used by their own agents of law enforcement. It is unclear whether these powers have allowed authorities in the US and UK to apprehend more criminals than before; this has never been conclusively demonstrated. But it is clear that these powers have been used to spy extensively on innocent citizens and to engage in fishing expeditions.  Moreover, they have created information security risks that did not previously exist and their  use appears to have exacerbated racial tensions and created a political chill. Such a track record is not promising.

Secrecy vs. Oversight/Accountability

We are aware of statistics on state surveillance in the US and UK, and on how new powers of Lawful Access are being used only because those countries have required that such information be reported and have tasked oversight bodies with making this information public. The purpose of such transparency measures is to deter LEAs from abusing their powers; reporting requirements serve as important accountability measures. This is particularly important with respect to the vast majority of electronic surveillance which is surreptitious and thus will never be disclosed to the subject of the surveillance.

In addition to mandatory reporting, some states have legislated consequences for abuse by state officials of such powers. Again, the importance of this is obvious in those instances where the victim is unlikely ever to know of the surveillance they have been subjected to.

In the UK, an independent oversight and complaints mechanism was established as part of RIPA.  This includes an Office of Surveillance Commissioners to oversee covert surveillance (other than telephone interception) and ensure compliance with human rights law, as well as an Interception of Communications Commissioner and an Intelligence Services Commissioner, each of whom oversees compliance of LEAs with relevant laws. A new Investigatory Powers Tribunal was also established under RIPA to investigate individual complaints about any alleged conduct by or on behalf of the Intelligence Services.

In the US, the Omnibus Crime Control and Safe Streets Act requires annual reports to Congress on police wiretaps. These reports reveal the location, the kind of interception (phone, computer, pager, fax), the number of individuals whose communications were intercepted, the number of intercepted messages, the number of arrests and convictions that resulted from the interception, and the financial costs of the wiretap. Under the Pen Register Act, police are also required to report on their use of “PEN registers” and “trap and trace” devices 253including the period of interceptions authorized by order and number, duration, and extension of orders, and the specific offence under which each order is given. 254 The Stored Communications Act requires an annual report from the Attorney General to the House and Senate Judiciary Committee on warrantless demands for data on grounds of exigent circumstances.

US law also provides for civil 255 penalties for government misconduct under surveillance laws: if the aggrieved person successfully establishes that a violation occurred, the Court may assess damages of $10,000 minimum. 256 In addition, internal disciplinary action must be taken by the department or agency concerned against officers or employees who have violated the law.

In contrast, no such oversight or accountability measures are being proposed to ensure that expanded Lawful Access in Canada is not abused by the authorities to whom it is entrusted.

Canadian Proposals for Oversight/Accountability

As noted above, the proposed new preservation demands, preservation orders, production orders and revised warrants may contain prohibitions on disclosure of the existence or contents of the order. 257 Law enforcement officers would also be able apply to the court for a specific order prohibiting a person from disclosing the existence or contents of a preservation demand, preservation order or production order during the period set out in the order. 258 Warrantless access to subscriber data would be subject to regulations that could include similar gag orders.  In addition, judges would be empowered to issue warrants, preservation orders and/or production orders together with authorizations to intercept private communications, and when that occurs, the strict rules of non-disclosure to affected parties regarding interceptions would automatically apply in respect of the requests for related orders or warrants. 259

In other words, all of these Lawful Access powers could be exercised under strict conditions  of secrecy. Yet there is no proposal for public reporting of their use, for regular external audits, or for notification to subjects after the fact.  Nor is there even a public body proposed or in place with powers to oversee the exercise of these powers by LEAs. While the Security Intelligence Review Committee has oversight powers over CSIS, no such body exists to oversee police activities in Canada. The Commission for Public Complaints Against the RCMP and other civilian review bodies have more limited mandates, focused on responding to public complaints about the conduct of police force members.

The Chairman of the Commission for Public Complaints Against the RCMP has also called publicly for greater powers of oversight over the national police service, pointing out that privacy and intelligence watchdogs have more power than does his office. 260

His calls echo the 2007 recommendations of the Task Force on Governance and Cultural Change in the RCMP. 261 This lacuna in oversight continues to exist despite the recommendation of Justice Dennis O’Connor in his report on the Maher Arar affair that “an independent, armslength review body” be established to oversee the information-sharing practices of the RCMP. 262 Clearly, there is a serious need for comprehensive oversight of policing and national security activities in Canada even without the proposed new expanded Lawful Access powers.

Under the Lawful Access proposals, public reporting would continue to be limited to interceptions under s.195 of the Criminal Code and would not extend to surveillance of a suspect’s location or transmission data, nor to warrantless requests for subscriber data, preservation demands and orders, or production orders.

The current rules requiring notification of the subjects of interceptions would continue to apply to entirely surreptitious interceptions (but not to those with consent of one party such as a police informer), but would not extend to the similarly privacy-invasive surveillance via tracking devices and transmission recording devices.

And even if some of the surveillance permitted by these new Lawful Access powers was not made secret, the right of TSPs to challenge a demand, order or warrant directing them to provide information or access to information would be limited to production orders – it would not apply to preservation orders or demands, demands for subscriber data, or warrants for tracking or transmission data.

Other countries have seen fit to include a mandatory Parliamentary review of legislation granting increased powers of surveillance to their law enforcement authorities. The Canadian proposal includes no such review.

The absence of any proposal for effective oversight and accountability of LEAs exercising these new powers is a glaring omission in the Lawful Access package. As noted above, the failure to provide effective oversight is itself likely to render at least some of the proposals unconstitutional insofar as it impairs privacy rights more than necessary.  Even without the proposed new powers, there have been repeated calls for more effective oversight of police agencies in Canada. It would be a serious failure of public policy to increase police powers without strengthening their accountability, especially in the current climate of mistrust based  on highly publicized policing excesses.

Incremental Expansion of Lawful Access

It is also important to assess the proposed new Lawful Access powers not just on their  own merits, but in the context of a series of legislative steps all heading in the same  direction – toward a surveillance society.

Shortly following the 2001 terrorist attacks on New York and Washington, Canada enacted  the Anti-Terrorism Act to give new surveillance powers to our national security agencies for  the purpose of counter-terrorism and foreign intelligence gathering. 263 For example, that Act amended the National Defence Act so as to allow for warrantless interception of foreign communications. 264 At the same time, amendments to the Criminal Code gave LEAs new  tools with which to fight organized crime. 265 Among their many other empowering provisions, these new laws together relaxed the Criminal Code requirements for electronic surveillance  of suspected terrorist groups and organized crime by eliminating the need to show

“investigative necessity”, by extending the period of authorization from 60 days to one year, and by similarly extending the period after which the subject must be notified of the surveillance  from 60 days to one year.

In 2004, a new production order was added to the Criminal Code for financial or commercial information. 266 By way of this new order, financial institutions could be required “to produce  in writing the account number of a person named in the order or the name of a person whose account number is specified in the order, the status and type of the account, and the date on which it was opened or closed”. 267 All of this information could of course be obtained via a general production order. The new production order was created solely to lower the threshold  for demanding this particular kind of information, on the grounds that it does not attract the same privacy interest as, say, the details of one’s financial account.

The new production orders now being proposed will follow this precedent, applying it to tracking and transmission data as well as financial account data, presumably using the same rationale.  However, as noted above, the nature, quantity, quality and value of location and transmission data is changing with technology and is already potentially far more revealing  of an individual’s personal life than is the financial data subject to the existing special production order.  In other words, even if it can be said that one’s financial account number, type, status  and date opened or closed does not attract such a reasonable expectation of privacy as to  warrant a high evidentiary standard for disclosure, the same reasoning does not extend  to tracking and transmission data.

As noted above, preservation orders appear on their face to be a less intrusive and more reasonable solution to the problem of potential destruction of relevant data by TSPs than the mandatory data retention that some other countries have seen fit to introduce.  However, business realities are such that the mere prospect of being frequently subjected to such demands and orders may lead TSPs to engage in data retention as a matter of course, as long as standardized data retention is less expensive than case-by-case data preservation.  In other words, it is entirely possible that the apparently reasonable case-specific data preservation approach proposed in this package of Lawful Access reforms will result in a de facto data retention regime in Canada.

Mandatory intercept capability may also be just the first step toward an even more intrusive surveillance regime in which private commercial entities are required not just to make  their networks intercept-capable, but to make the devices they sell to consumers capable  of device-level monitoring.  Device-level surveillance technology is already available and in  use by some hackers and possibly by intelligence agencies to interfere with devices, to intercept communications in real time, and to access stored data. 268 Like other technologies, it is being constantly developed to become more functional. Device-level surveillance capacity may  well become mandated in the next stage of “Lawful Access”, after networks have been made fully intercept-capable.

It is increasingly evident that Canada is moving backwards toward its pre-Charter state of allowing extensive police surveillance without justification. The current proposals to expand Lawful Access are a big step in that direction, and of significant concern on their own.  But they should also be seen in the context of what appears to be a gradual shift toward a surveillance state.  It is entirely reasonable to wonder:  what will be next?

VIII. Conclusion

Under the guise of “modernization” and “keeping up with criminals”, these proposals would take advantage of new technologies, new modes of communication and new social practices to significantly expand access by LEAs to the personal information of individuals. While referred to as “Lawful Access” powers, the lawfulness of some of these powers under the Charter of Rights and Freedoms is highly questionable.

Expanded powers would include:

  • Access to “subscriber data” upon request without either prior judicial authorization or reasonable grounds to suspect criminal behaviour;
  • New preservation orders, available on a low evidentiary standard;
  • New preservation demands with no requirement for prior judicial authorization;
  • New production orders for tracking and transmission data, available on a low evidentiary standard;
  • Lower evidentiary standard for, and expanded scope of, tracking warrants,
  • Expanded scope of warrants for telephone number recorders to encompass all forms of transmission data.

The government claims that the proposed legislation simply “provides authorities with  the updated tools needed in the fact of rapidly changing technology, without diminishing  the considerable legal protections currently afforded to Canadians with respect to privacy  or freedom from unreasonable search and seizure.” 269 However, the proposals do not in fact maintain the same level of police power (or privacy protection for citizens) in a changing informational context; rather, they expand police powers to access the already increased quantity and breadth of personal data now available as a result of new technologies.

This point cannot be emphasized enough: these expanded powers are not being proposed in  a static context. The increased legal power that these proposals would expressly grant to LEAs will be greatly enhanced by the real world context of vastly more and richer personal data now available as a result of new technologies.  In other words, the proposals effectively constitute  a “double whammy” to individual privacy: they would give law enforcement more legal  powers to mine the hugely expanded trove of personal information already available to  police under existing powers.

At a time when technology and social practices are providing LEAs with vastly greater amounts and richer types of data for investigations and intelligence-gathering, these reforms would provide such agencies with powerful new tools by which to tap this growing source of investigational data, and would do so on the basis of lower evidentiary standards - or in the case of subscriber data, no evidentiary standards at all.  Individual privacy is already under siege as a result of new technologies and business practices; these reforms would further erode the fragile framework of privacy protection that we have constructed to control state surveillance.

Enhancing new LEA powers would be a requirement for TSPs to be fully intercept-capable i.e., to configure their networks so as to facilitate authorized interceptions by law enforcement agents.  In addition to removing existing technical obstacles to interception by a single agent, this new law would mandate TSPs to permit multiple simultaneous interceptions by LEAs from multiple jurisdictions. Thus, the context in which police exercise their new expanded powers would be even more amenable to state surveillance, with the corollary security risk of unauthorized access and cyber-security attacks via the new mandated “back door” for law enforcement access to private communications.

One might expect that the proposals to expand police powers would be accompanied by  an oversight regime with strong measures to ensure public accountability, at least where  the normal requirement for prior judicial authorization is absent. Yet, there is no proposal  for meaningful oversight of warrantless access powers and only a few weak measures  (e.g., internal reporting and internal audits) designed to allow for some accountability.  Unlike the regime governing covert interception of private communications by state authorities, there is no requirement to account publicly for the use of powers to gather data about subscribers and/or users of telecommunications services without warrant, even though data gathered in these ways can now reveal more about an individual than may be revealed by real-time interception  of private communications.

Furthermore, all of the new demands, orders and warrants may be made subject to “gag orders” and, again unlike the regime governing covert interceptions by state authorities, individuals  who are subject to state surveillance via the new and expanded search powers have no right  to be notified of the fact. Subjects of state surveillance under these new powers are therefore unlikely ever to know of the activity unless they are eventually charged with an offence.  And if individuals are unaware of searches involving them, they will be unable to  challenge such searches.

Canada is not alone in proposing to expand state surveillance powers and capacity;  indeed, the Lawful Access proposals are motivated to some degree by international peer  pressure and Canada’s desire to ratify the Council of Europe’s Convention on Cybercrime.  But the experience of other jurisdictions that have enacted similar laws in recent years is not promising: although the new laws have contributed to an explosion of state surveillance with  the inevitable accompanying misuse of powers, there is little evidence that they have  actually improved state security.

Canada is in a privileged position having not yet adopted the approach of these other countries: rather than proceeding on the basis of rhetoric, we can learn from the experience elsewhere and carefully examine the evidence, weighing the costs and risks that expanded state surveillance will generate against its much less clear benefits in terms of increased security. Rather than inviting Charter challenges and public opposition, the government should re-examine these proposals in light of the already increased surveillance powers of LEAs and the absence of any real evidence that the proposed new powers are needed to ensure the security of Canadians.

  1. See for example “Protecting Privacy for Canadians in the 21st Century” Resolution of Canada’s Privacy Commissioners and Privacy Enforcement Officials on Bills C-46 and C-47 September 9-10, 2009, St. John’s, Newfoundland and Labrador. Online:
  2. R. v. Tse, 2008 BCSC 211(CanLII).
  3. The term “warrantless” is used in this paper to mean “without a warrant or court order”.
  4. See Letter to Public Safety Canada from Canada's Privacy Commissioners and Ombudspersons on the current “Lawful Access” proposals dated March 9, 2011. Online:
  5.  R v. Mann, 2004 SCC 52 (CanLII), paras. 15-16.
  6. Narcotics Control Act, R.S.C. 1970, c. N-1, s.10(3); Food and Drug Act, R.S.C. 1970, c. F-27, s. 37(1)(a); Customs Act, R.S.C. 1970, c. C-40, s. 145.
  7. Hon. Marc Rosenberg, “Twenty-Five Years Later: The Impact of the Canadian Charter of Rights and Freedoms on the Criminal Law”, Supreme Court Law Review, 2nd Series, vol. 45 (Markham, ON: LexisNexis Canada, 2009). See also James Stribopoulos, “Has the Charter Been for Crime Control? Reflecting on 25 Years of Constitutional Criminal Procedure in Canada”, in Margaret Beare, ed., Honouring Social Justice: Honouring Dianne Martin (Toronto: UofT Press, 2008), ch. 14.
  8. Id.
  9. Referenced in Hon. Marc Rosenberg (n. 7). See also A. Borovoy, When Freedoms Collide: The Case for Our Civil Liberties (Toronto: T.H. Best Printing, 1988), at 94-95.
  10. Hon. Marc Rosenberg (n. 7).
  11. Id.
  12. Remarks of the Right Honourable Beverley McLachlin, Chief Justice of Canada; “Symons Lecture – 2008”. Online: <>.
  13. SCC 67, para. 13.
  14. R v. Dyment (1988) 2 SCR 417 para. 34.
  15. 1990 CanLII 150 (S.C.C.), 1990 1 S. C. R. 30, at 43-44.
  16. The Chronicle of Higher Education (May 15, 2001).
  17. See Mr. Justice D.C. McDonald “Commission of Inquiry Concerning Certain Activities of the Royal Canadian Mounted Police” 1979-1981. The Commission’s reports are online: < pco-bcp/commissions-ef/mcdonald1979-81-eng/mcdonald1979-81-eng.htm>.
  18. Hunter et al. v. Southam Inc., (1984) 2 SCR 145 at 159.
  19. R. v. Plant, (1993) 3 SCR 281 at 15.
  20. Id.
  21. R. v. Gomboc, 2010 SCC 55, (2010) 3 SCR 211.
  22. See R. v. Tessling (n. 13).
  23. R. v. Wise, 1992 1 SCR 527.
  24. R. v. A.M., 2008 SCC 19, (2008) 1 SCR 569, R. v. Kang-Brown, 2008 SCC 18, (2008) 1 SCR 456.
  25. R. v. Patrick, 2009 SCC 17, (2009) 1 SCR 579.
  26. R. v. Tessling (n. 13) para. 18.
  27. R. v. Edwards, (1996) 1 SCR 128 para. 45.
  28. R. v. Patrick (n. 25), para. 42.
  29. R. v. Gomboc (n. 21), para. 117.
  30. Tessling (n. 13), para. 40
  31. Tessling (n. 13), para. 42
  32. R. v. Patrick (n. 25), paras. 26-27.
  33. R. v. Plant (n. 19).
  34.  Binnie in R. v. A.M., (n. 24), para. 68.
  35. Id. para.67. 
  36.  Binnie J. in R. v. Kang-Brown, see 24, supra para. 58.
  37.  R. v. Patrick (n. 25), para. 27.
  38.  R. v. Gomboc (n. 21), paras. 108 and 118.
  39.  Id. per McLachlin C.J. and Fish J, para. 139.
  40. R. v. McNeice, 2010 BCSC 1544; R. v. Brousseau, 2010 ONSC 6753; R. v. Ward, 2008 ONCJ 355; R. v. Friers, 2008 ONCJ 740; R. v. Spencer, 2009 SKQB 341; R. v. Wilson, (2009) O.J. No. 1067; R. v. Vasic, (2009) O.J. No. 685.
  41.  R. v. Cuttell, 2009 ONCJ 471; R. v. Kwok, (2008) O.J. No. 2414.
  42. Hunter v. Southam (n. 18), at 160-161.
  43. Id.
  44. Id. at 161-2.
  45. R. v. Dyment (n. 14), para. 23.
  46.  The term “warrant” is used here and elsewhere in the paper to include production orders and other forms  of legal authorization for searches.
  47. R. v. Rao (1984), 12 C.C.C. (3d) 97 (Ont. C.A.); leave to appeal refused ((1984) S.C.C.A. No. 107).
  48. R. v. Simmons, 1988 CanLII 12 (SCC), (1988) 2 S.C.R. 495, at 528.
  49. R. v. M. (M.R.), 1998 CanLII 770 (SCC), (1998) 3 S.C.R. 393.
  50. R. v. Kang-Brown  (n. 24), para. 59.
  51. Hunter et al. v. Southam Inc.  (n. 18), at 167.
  52. Hunter et al. v. Southam Inc.  (n. 18), at 167-168.
  53. Baron v. Canada  (1993) 1 SCR 416.
  54. See  R. v. Wise, R. v. A.M.  and  R. v. Kang-Brown  (n. 23 and 24). See also R. v. Briggs 2001 CanLII 24113 (ONCA).
  55. R. v Wise  (n. 23), para. 106.
  56. Id.  para. 84.
  57.  Binnie and McLachlin JJ., in  R. v. Kang-Brown , (n. 24), para. 58.
  58. R. v. Godoy , (1999) 1 S.C.R. 311.
  59. Cloutier v. Langlois , (1990) 1 S.C.R. 158.
  60. R. v. Mann , 2004 SCC 52, (2004) 3 SCR 59. Under the ancillary police powers doctrine articulated  in R . v. Waterfield , (1963) 3 All E.R. 659 (C.C.A.), a search will be found to have been authorized  by law if (1) it “fell within the general scope of the duties of a police officer under statute or common law”,  and (2) the “interference with liberty (was) necessary for the carrying out of the particular police duty  and …  (was) reasonable, having regard to the nature of the liberty interfered with and the importance  of the public purpose served by the interference”:  Dedman v. The Queen , 1985 CanLII 41 (SCC),  (1985) 2 S.C.R. 2, at paras. 68 and 69.
  61. Id.  Dedman v. The Queen , para. 69.
  62. R. v. Gomboc  (n. 21), para. 145.
  63. Her Majesty the Queen v. Yat Fung Albert Tse, et al  which is currently before the Supreme Court of Canada.
  64. The Quebec Court of Appeal has however ruled that the legislated “suspicion”-based standard for telephone number recorders in s.492.2 does not violate the constitution: see  Cody c. R.,  2007 QCCA 1276 (CanLII).
  65. (1991) 3 S.C.R. 595, (1991) S.C.J. No. 95.
  66. Id.  para. 24.
  67. R. v. M  (n. 49),at 3.
  68. R. v. Buhay, 2003 SCC 30, (2003) 1 SCR 631 paras. 29-30.
  69. R.  v.  Dersch , (1993) S.C.J. No. 119 paras. 19-20.
  70. R. v.   Weir  (2001) A.J. No. 869 at paras. 9 and 11.
  71. R. v. Chang , 2003 ABCA 293 (CanLII), paras. 16-18.
  72. R. v. Lunn , 1990 CanLII 1237 (BC CA).
  73. CanLII 46.
  74.  Thomson Newspapers Co. v. Canada (Attorney General ), 1998 CanLII 829 (S.C.C.) para. 125.
  75. R. v. Hufsky  (1988) 1 S.C.R 621; R. v.  Ladouceur  1990 1 SCR 1257.
  76. Id. R . v.  Ladouceur.
  77. R. v. Tse  2008 BCSC 211 (CanLII); see also  R. v. Six Accused Persons , 2008 BCSC 212 (CanLII),  a similar judgment of Davies, J.
  78. Id.  para. 200.
  79. R. v. Riley , 2008 CanLII 36773 (ON SC). Dambrot J. concluded at para. 4 that “s.184.4 of the Criminal Code  is inconsistent with the  Charter  in two respects: (1) … the availability of the extraordinary power to intercept without prior judicial approval exceeds what is reasonable within the meaning of s.8 of the  Charter  because  of the overbreadth of the definition of peace officer in so far as it governs who may make use of s.184.4; and (2)  the absence of an obligation to give notice to objects of interception is inconsistent with s. 8 of the  Charter.   I have further concluded that the first of these deficiencies can be remedied by severance, and the second by reading down. With these deficiencies remedied, I conclude that the overall scheme in s. 184.4 is reasonable.”
  80.  S. 184.2.
  81. S. 184.1(1)(b).
  82. S. 184.4.
  83. S. 184.6.
  84. S. 185, 186, 195, 196.
  85. S.487.11.
  86. See for example s. 184.2(2) and (3).
  87. The constitutionality of these lower standards has not yet been put to the Supreme Court of Canada.
  88. S. 492.1(1).
  89. S. 492.1(1).
  90. S. 7(3)(c).
  91. S. 7(3)(d).
  92. S. 7(3)(c.1).
  93. Centre for Democracy and Technology, “FBI Seeks New Mandates on Communications Technologies”,  February 24, 2011. Online at:
  94. Sprint and other telecommunications firms have established call centers to more quickly clear and respond to law enforcement requests (see: C. Soghoian, “8 Million Reasons for Real Surveillance Oversight” (December 1, 2009. Online : Cloud computing providers such as Google have established Lawful Access portals that allow authorities  with warrants to remotely access communications that are stored on Google servers (see: B. Schneier, “US Enables Chinese Hacking of Google” (January 23, 2010) online:
  95. D.J. Solove  Nothing to Hide :  The False Tradeoff between privacy and security ,  (Yale University Press, 2011), at 2.
  96.  Department of Justice Canada, “Backgrounder: Investigative Powers for the 21st Century  (IP21C) Act” (June 2009).
  97.  See, for example,  R. v. A.M . and  R. v. Kang-Brown  (n. 24): in both cases, four of the nine judges held that legislation was required to lower the evidentiary standard for sniffer dog searches.
  98. Bill C-52,  An Act regulating telecommunications facilities to support investigations , 3rd Sess,  40th Parl, 2010 (first reading 1 November 2010) (IPCEC), s. 6.
  99. Id.  s. 7(b) and (d).
  100. Id.  s. 6(3).
  101. Id.  s. 25.
  102.  Id.  s. 28.
  103. Susan Landau, Surveillance or Security? The Risks Posed by New Wiretapping Technologies   (Cambridge, Mass.: The MIT Press, 2010) at 196-7.
  104.  McMillan “Google attack part of widespread spying effort U.S. firms face ongoing espionage from China” January 13, 2010. Online:
  105.  See NSA warrantless surveillance controversy. Online:
  106.  Lichtblau and J. Risen Officials Say U.S. Wiretaps Exceeded Law April 15, 2009. Online:
  107.  Greek wiretapping case 2004–2005  online: While US intelligence  agencies have been informally identified as suspects, the identity of the perpetrators has still not been established.
  108.  Mandating private organizations to act as agents of the state  per se  does not violate any constitutional  right or freedom.
  109.  See Article 20 of the Council of Europe Convention on Cybercrime (ETS no. 185) Budapest, 23.XI.2001,  which Canada has signed and intends to ratify once necessary legislative changes have been implemented.
  110. Bill C.52, s. 16.
  111. PIPEDA s. 7(3)(c.1).  NOTE: for the sake of convenience, the term “warrant” in this section includes  production orders and any other enforceable order for disclosure.
  112. S. 16 (n. 110).
  113. The greater of five or 5% of the agency’s total staff:  Bill C-52, s. 16(4).
  114. Bill C-52, s. 16(2).
  115. Id.  s. 17.
  116. Id.  s. 64(1)(l)(ii).
  117. Id.  s. 64(2).
  118. Id.  ss. 57, 61.
  119. Criminal Code,  s. 196.
  120. Bill C-52, s. 19.
  121. Id. s . 20(2).
  122. Id.  ss. 20(4) and (5).
  123. R. v. Ballendine,  2011 BCCA 221 (CanLII), para. 74.
  124. See 44.
  125. See 43.
  126. See 44, para. 21.
  127. R. v. Eddy  (1994) N.J. No. 142 para. 175.
  128. D. Gilbert et al., “The Medium and the Message: Personal Privacy and the Forced Marriage  of Police and Telecommunication Providers” 51  Crim.L.Q.  469 (2005-2006) at 503.
  129. See  R. v. A.M.  (n. 24), para. 67.
  130. PIPEDA, s. 7(3).
  131. BMG Canada Inc. v. Doe,  2005 FCA 193 (CanLII),  BMG Canada Inc. v. John Doe , 2004 FC 488  (CanLII) para.37: “In keeping with the protocol or etiquette developed in the usage of the internet,  some degree of privacy or confidentiality with respect to the identity of the internet protocol address  of the originator of a message has significant safety value and is in keeping with what should be  perceived as being good public policy”.
  132. R. v. A.M . (n. 24), para. 67.
  133. PIPEDA, s.5(1) and Schedule 1, Principle 4.7.
  134. Id.  s.7(3).
  135.  See R. v.  McNeice, R. v. Brousseau, R. v. Ward, R. v. Friers, R. v. Spencer, R. v. Wilson, R. v. Vasic  (n. 40).
  136. See  R. v. Cuttell, R. v. Kwok  (n. 41).
  137. R. v. Gomboc  (n. 21), Justices McLachlin C.J. and Fish J. paras. 139-142.
  138. PIPEDA, s. 7(3).
  139. See  R. v. Cuttell  (n. 41), paras. 40 and 45.
  140. See  R. v. McNeice  (n. 40), para. 43.
  141. R. v. Oakes  (n. 73), para. 69.
  142.  Thomson Newspapers   Co. v. Canada (Attorney General) , 1998 CanLII 829 (SCC)  para. 98 quoted in  Harper v. Canada (Attorney General) , 2004 SCC 33 (CanLII) para. 92.
  143.  Public Safety Canada, “Backgrounder - Investigating and Preventing Criminal Electronic Communications Act” (November 1, 2011). Online: last.
  144. S. 487.11,  Criminal Code .
  145. Bill C-52, s. 16(2).
  146. S.487.11,  Criminal Code .
  147. Bill C-52 s. 16(2)(b). There is no requirement for dual criminality in order for Canadian police  services to use this provision in the investigation of foreign offences. Moreover, there is no requirement  (as there is under the proposal for Preservation Orders) that authorities in the foreign state be conducting  an investigation of the offence.
  148.  In addition to subscriber name, address, telephone number and IP address, “subscriber data” available to law enforcement agencies by way of subpoena includes date, time and length of communication; length of service, types of service utilized, means and source of payment for services: 18 USC 2703(c)(2).
  149.  The FBI is also empowered to obtain telecommunications subscriber name, address, length of service and long distance toll billing records upon request without the need for probable cause or prior judicial authorization,  for only for the purpose of foreign intelligence investigations:  18 USC 2709.
  150.  US Department of Justice Office of Legal Policy,  Report to Congress on the Use of Administrative Subpoena Authorities by Executive Branch Agencies and Entities , undated, online:; see also Charles Doyle,  Administrative Subpoenas and National Security Letters in Criminal and Intelligence Investigations: A Sketch,  CRS Report  for Congress, April 15, 2005.
  151. DOJ Report,  id.  at 15.
  152. See online:
  153.  McIntyre v. Ohio Elections Commission  No.93-986, Supreme Court of the United States 514  U.S. 334 (1995) para. 357.
  154. Bill C-51,  An Act to amend the Criminal Code, the Competition Act and the Mutual Legal Assistance  in Criminal Matters Act , 3rd Sess, 40th Parl, 2010 (first reading 1 November 2010) (IP21C), proposed s. 487.013.
  155. Bill C-51, proposed s. 487.0191 – this applies to preservation demands and production orders as well.
  156. Bill C-51, proposed s. 487.0194.
  157. Bill C.51, proposed s. 487.012(2).
  158. Id .
  159. Id . sub-section (5).
  160. Id . sub-section (4).
  161. See  R. v. Dersch  (n. 69) para. 20.
  162. Bill C. 51, clause 9(4).
  163. I. Kerr and D. Gilbert, “The Role of ISPs in the Investigation of Cybercrime”, chapter 20  of Tom Mendina and Johannes J. Britz, eds,  Information Ethics in the Electronic Age  (2004) at 169.
  164. Erin Morgan, “Surveillance and Privacy in the 21st Century: the Impact of Bills C-51 (IP21C) and C-52 (IPCEC)”, (2011)  43 U.B.C. L. Rev . 471-495, para. 39.
  165. R. v. Oakes  (n. 73), para. 69.
  166. Schedule 1, Principle 5.
  167.  See Public Safety Canada, “Backgrounder” accompanying Bill C-46, a previous version of the same  legislation in question here, “Backgrounder: Investigative Powers for the 21st Century (IP21C) Act”  Online:
  168. Stored Communications Act,  18 USCS §§ 2701.
  169. Bill C-51, proposed s. 487.011, definitions.
  170. Id.
  171. Id.  s. 497.015.
  172. See Public Safety Canada “Backgrounder” (n. 167).
  173. See Bill C-51, s. 487.012(1)(b) and 487.014(2)(b).
  174. S. 492.1(1),  Criminal Code , and Bill C-51, proposed s. 492.1(1).
  175. Bill C-51, proposed s. 492.1(2).
  176. Id.  s. 492.2(6).
  177. See  R. v. Cody  (n. 64) para. 25.
  178. Bill C-51, proposed ss. 487.011 and 492.2(6).
  179. R. v. Fegan , (1993) 80 C.C.C. (3d) 356 (Ont. C.A.), at 363 and 364, quoted in  R. v. Cody , (n. 67),para. 11.
  180. W. Diffie and S. Landau,  Privacy on the Line: The Politics of Wiretapping and Encryption,  2nd ed.,    (Cambridge, Mass.: The MIT Press 2007).
  181.  J. Strandburg, “Surveillance of Emergent Associations: Freedom of Association in a Network Society”,  in A. Acquisti, S. Gritzalis, C. Lambrinoudakis, and S. De Capitani di Vimercati (eds.). Digital Privacy:  Theory, Technologies, and Practices (New York: Auerbach Publications, 2008).
  182. Landau,  (n. 103) at 137.
  183.  Mulliner “Random tales from a mobile phone hacker” Presentation at CanSecWest 2010, Vancouver, Canada. Slides online:
  184. Bill C-51, proposed s. 492.2(2).
  185. Bill C-51, proposed s. 487.011, s. 492.1(8).
  186. Id.
  187.  Dated March 3, 2009 online:
  188. G. Elmer,  Profiling Machines: Mapping the Personal Information Economy   (Cambridge, Mass: The MIT Press 2004).
  189. See: D. Phillips and M. Curry, “Privacy and the phenetic urge: Geodemographics and the changing  spatiality of local practice”, in D Lyon (ed) Surveillance as social sorting : privacy, risk, and digital  discrimination (London ; New York : Routledge, 2003)  at 137-152.
  190. United States v. Maynard,  615 F.3d 544.
  191. Id.  at 560.
  192. Id . at 562.
  193.  R. v. Mahmood , 2008 CanLII 51774 (ON SC), para. 48.
  194. Id . para. 57.
  195. Department of Justice Canada, News Release,  “ Government of Canada introduces legislation to fight crime in today’s high-tech world ” , November 1, 2010.
  196. Bill C-51 s. 487.0195(1).
  197. See  R. v. Gomboc  (n. 21).
  198. Id . para. 31.
  199. R. v. Cuttell  (n. 41), para. 55.
  200. See  R. v. McNeice (n. 40), para. 43.
  201. PIPEDA s. 7(3)(c.1).
  202. Id.
  203. Bill C-12,  An Act to amend the Personal Information Protection and Electronic Documents Act  s. 6(12).
  204. S.C.(Re),  2006 ONCJ 343 (CanLII), para. 9.
  205. Id . at 74.
  206. Id . at 165.
  207. See for example s. 5(3) and Schedule 1, Principles 4.3, 4.3.4, 4.3.5 and 4.3.6.
  208. Stored Communications Act,  18 USC. 2702.
  209. See  Convention on Cybercrime  (n. 109).
  210. United States:  Communications Assistance for Law Enforcement Act  (CALEA), 47 USC 1001-1010; United Kingdom:  Regulation of Investigatory Powers Act  (RIPA), chapter 23, ss. 12-14; Australia:  Telecommunications Act 1997 , parts 14- 15.
  211. Stored Communications Act ; Administrative subpoenas are available to a wide range of US authorities for use in enforcing their statutes.  In addition, the FBI is empowered to gather large amounts of subscriber and other data (not content) without warrant for purposes of counter-terrorism: 18 USC 2709.  In the UK, ss.21-15 of the RIPA allows law enforcement access to transmission data upon request without warrant.
  212.  Cybercrime Legislation Amendment Bill 2011 online:
  213.  Center for Democracy and Technology  “ FBI Seeks New Mandates on Communications Technologies” (February 24, 2011). Online:
  214. Id.
  215.  Analysis and opinion by Christopher Soghoian, “8 Million Reasons for Real Surveillance Oversight” (December 1, 2009). Online:
  216.  Summers, “Walking the Cyberbeat” Newsweek , (April 30, 2009). Online:
  217.  Hansell, “Increasing, Internet’s Data Trail Leads to Court” New York Times (February 4, 2006). Online:
  218. Google “Transparency Report” (2011) online:
  219. Analysis and opinion by Christopher Soghoian, “Warrantless “emergency” surveillance of Internet communications by DOJ up 400%” (August 4, 2011). Online:
  220. See for example  United States v. Pineda Moreno  617 F.3d 1120; and  United States v. Maynard and Jones , (n. 187).
  221. United States v. Maynard and Jones  is under appeal as of the writing of this paper.  See also M. Hoffman “Supreme Court Agrees to Hear Key Warrantless GPS Tracking Case” Deeplinks Blog (June 27, 2011). Online:
  222.  See Digital Due Process, “EPPCA Reform: why now?” Online:
  223.  See Electronic Frontier Foundation Blog posting “FOIA Victory Will Shed More Light on Warrantless Tracking of Cell Phones” (September 10, 2011). Online:
  224.  Risen and E. Lichtblau, “E-Mail Surveillance Renews Concerns in Congress” The New York Times (June 16, 2009). Online:
  225.  US Department of Justice, Office of the Inspector General, “A Review of the Federal Bureau of Investigation’s Use of Exigent Letters and Other Informal Requests for Telephone Records”  Department of Justice  (January 2010). Online:; at 92-95.
  226. Id . at 115-120.
  227.  Lichtblau “US Will Pay $2 Million to Lawyer Wrongly Jailed”, The New York Times (November 30, 2006). Online:;oref=slogin&amp;pagewanted=print.
  228. National Security Letters are an extraordinary search power under which the FBI can compel banks, telecommunications service providers and others to disclose customer records (but not content of communications) without prior judicial authorization or probable grounds – the FBI need only state that the information is required for counter-terrorism or foreign intelligence purposes.
  229. See Electronic Privacy Information Center, “Intelligence Oversight Board: FOIA Documents Detailing Legal Violations”.Online:
  230.  US Department of Justice Office of the Inspector General report (n. 226).
  231. Id.  at 47.
  232. Id.  at 78.
  233.  EFF,  Patterns of Misconduct: FBI Intelligence Violations from 2001 – 2008  (January 2011). Online: at 12.
  234. Id . at ‘i’ and ‘ii’.
  235. See Electronic Privacy Information Center “Terrorism” Information Awareness (TIA)”  Online
  236. Fusion Centers are government-supported entities that gather information from various sources, including  the federal government, state, local, tribal and territorial governments, for the purpose of identifying terrorist/criminal activities and other hazards such as natural disasters.  For more on fusion centers, see Torin Monahan, “The Future of Security? Surveillance Operations at Homeland Security Fusion Centres”,   Social Justice  Vol. 37, Nos. 2–3 (2010–2011) , p.84; and Electronic Privacy Information Center “Information Fusion Centers and Privacy” online:
  237.  Dilanian, “Fusion centers’ gather terrorism intelligence – and much more,” Los Angeles Times (November 15, 2010) Online:;  see also R. Singel, “Newly Declassified Files Detail Massive FBI Data-Mining Project”,  Wired  (September 23, 2009) online:
  238.  Tech Talk, “Homeland Security Harvested Social Network Data”  CBS News . (October 14, 2010)  Online:
  239. See Landau (n. 103) at 207.
  240. EFF, “Al Haramain v. Bush”,  EFF Cases  online:
  241. As quoted in Stephen Lendman, “Lawless Spying in America to Obstruct First Amendment Freedoms,”  Baltimore Chronicle and Sentinel  (October 7, 2010). Online:
  242. ch. 23.
  243. 2001 ch. 24.
  244.  Directive 2006/24/EC; UK Data Retention (EC Directive) Regulations 2009.
  245. Surveillance Studies Network,  A Report on the Surveillance Society,  for the Information  Commissioner (September 2006).
  246. U.K. Home Office,  Review of Counter-Terrorism and Security Powers Review of Findings  and Recommendations,  (January 2011) at 5.
  247.  Id . at 28.
  248. Kennedy, “Officials seek access to phone and email data 1,381 times a day”, The Guardian (August 10, 2009). Online:
  249.  Bone, “’Network’ of police linked to private eyes”, BBC News (October 2007)  Online:
  250.  See D. Hamilton, “Police Databases: Over 900 Police Staff Abuse their Access’. Online:
  251. Big Brother Watch “The Grim RIPA: Cataloguing the ways in which local authorities have abused their covert surveillance powers”. Online:
  252. “Local Authorities Would Require Approval From Magistrates Before They Can Use RIPA Powers for Surveillance – Home Secretary”,  eGovMonitor , (January 27, 2011). Online:
  253. “Pen registers” record the numbers that a target telephone is dialing.  “Trap and trace” devices capture  the telephone numbers that dial a target telephone.
  254.  However, it appears that such reports have not always been published.  See P. Schwartz, “Reviving Telecommunications Surveillance Law”,  University of Chicago Law Review, Vol. 75,  No.1 (Winter, 2008), at 287.
  255. 18 USC 2712.
  256. Bill C-51, proposed s. 487.019(1) and s. 487.012(5).
  257.  Bill C-51, proposed s. 487.0191 (Before granting such an order, the court must be satisfied by information on oath that there are reasonable grounds to believe that disclosure during the period would jeopardize the investigation).
  258. Bill C-50, proposed s. 184.2(4) and 187(8).
  259.  Thomson, “RCMP oversight lacking, says complaints watchdog”, Times Colonist (December 1, 2008 ).  Online: ml#ixzz1fS9PEZqr. See also “RCMP force boss says force needs civilian oversight”  CTV News  (November 25, 2010). Online:
  260.  Government of Canada, “Sweeping Changes Recommended in Report on Governance and Culture Change in  the RCMP” (December 14, 2007). Online:
  261.  Commission of Inquiry into the Actions of Canadian Officials in Relation to Maher Arar,  Report on the Events Relating to Maher Arar,  “Analysis and Recommendations” (Sept.18, 2006), Recommendation 10.
  262. Bill C-36, 37th Parliament, 1st Session.
  263. National Defence Act,  s. 273.65
  264. Bill C-24, 37th Parliament, 1st Session.
  265. S. 487.013.
  266. Id.
  267.  See for example a blog posting referring to a Chinese website that “offers mobile phone monitoring  tools and services to customers who are given access to the site’s backend to retrieve information”. Online:
  268.  Public Safety Canada, News Release, “Government of Canada introduces legislation to fight  crime in today’s high-tech world”, (November 1, 2010). Online:

Where was Citizen Lab during the Munk Debate on state surveillance?

The semi-annual Munk Debates were established in 2008 as a charitable initiative of the Aurea Foundation co-founders Peter and Melanie Munk. The Debates take place in Toronto in the evening in front of an audience of 3,000 people at Roy Thomson Hall, and are broadcast throughout Canada by the CBC and across the continental United States on C-SPAN. The Debates are organized by Rudyard Griffiths, the President of the Peter and Melanie Munk Charitable Foundation.

The spring 2014 Munk Debate moved that state surveillance is a legitimate defence of our freedoms .... with Michael Hayden and Alan Dershowitz arguing in the affirmative, and Glenn Greenwald and Alexis Ohanian arguing in the negative.

It's a shame, if not outright suspicious, that Mr. Griffiths side-lined  another beneficiary of Peter and Melanie Munk - namely, the Citizen Lab - from this Debate.

So it is understandable that, when he was invited merely to comment afterwards on the Debate, Ronald Deibert, Director of the Citizen Lab, hardly contained his personal and professional disappointment:

Missing from the debate, though, was the elephant in the room. The room being Roy Thomson Hall, located in downtown Toronto, Canada, that elephant would of course be Canada’s own system of state surveillance. Although the name of our own NSA, the Communications Security Establishment of Canada (CSEC), was briefly referenced once or twice, the details of its operations were left unexamined by the debaters. That’s a shame, for the Canadian situation offers a remarkable contrast to that which exists in the United States. Whereas the NSA’s operations are overseen by three branches of government, including being subject to regular congressional oversight committees and the scrutiny of eleven judges of the Federal Intelligence Services Court (FISC), Canada’s CSEC does not report to parliament, is answerable only to the minister of defense, and is overseen by a single retired judge who issues an annual “review.” In the US, the NSA revelations have brought about widespread calls for reforms, and prompted President Obama to set up a President’s Review Group on Surveillance which made over 40 recommendations on everything from civil liberties to the FISC itself, some of which were referenced explicitly by President Obama in a major public address to the nation. Here in Canada, by contrast, government officials have hardly acknowledged the revelations at all, have proposed or undertaken no reforms whatsoever, and have responded to CSEC revelations with statements that simply reiterate official boilerplate policy. While in the United States, big Internet companies, telcos, and social media giants have begun issuing detailed transparency reports about government requests for user data, with some going so far as to take the government to court to reinforce their right to notify users when such requests are made, here in Canada the telecommunications industry has stuck to what can only be described as a shameful silence -- even in the face of alarming statistics that suggest companies routinely hand over user data to government agencies millions of times a year without a warrant.

In fact, the Munk Debaters missed a major opportunity to bring up Canada. In spite of their differences, it was clear that everyone on the stage believed that there are real threats that need to be dealt with, and that liberal democratic governments should deal with them under some system of oversight and accountability. The Canadian case could have served as a great example of the type of “flawed system” that everyone could agree should be avoided at all costs - - a retrograde model from the Cold War era unsuited to the challenges of 21st century liberal democracy. Then again, maybe it was appropriate that Canada was not brought up during the debate. A poll undertaken by the Canadian Journalists for Free Expression whose results were released just prior to the debate showed that at least sixty percent of Canadians do not seemed concerned that the government is monitoring their communications. If Canadians don’t care about the issue in the first place, why should we expect our American visitors to bring it up? It is common for Canadians to feel superior to Americans when it comes to public discourse, pointing to the trash-talking and polarizing cable news networks we eavesdrop on from north of the border. But the Munk Debates reminded us we have a lot to learn from our American cousins when it comes to maturely discussing an issue so fundamental to society as the appropriate balance to strike between security and privacy in a liberal democracy. Never mind debates, we have barely acknowledged the subject.

So, I invite Professor Deibert to expand upon the following points he makes above - and, in particular, to connect his past and future research efforts of his lab to advancing the cause of freedom in the face of state mass surveillance of his fellow citizens in Canada:

  • Canada’s CSEC does not report to parliament, is answerable only to the minister of defense, and is overseen by a single retired judge who issues an annual “review.”
  • Canadian government officials have hardly acknowledged the Snowden revelations at all, have proposed or undertaken no reforms whatsoever, and have responded to CSEC revelations with statements that simply reiterate official boilerplate policy.
  • The Canadian telecommunications industry has stuck to what can only be described as a shameful silence- even in the face of alarming statistics that suggest companies routinely hand over user data to government agencies millions of times a year without a warrant.
  • Canadian oversight of state surveillance is a great example of the type of “flawed system” that everyone could agree should be avoided at all costs - a retrograde model from the Cold War era unsuited to the challenges of 21st century liberal democracy.
  • A poll undertaken by the Canadian Journalists for Free Expression whose results were released just prior to the debate showed that at least sixty percent of Canadians do not seemed concerned that the government is monitoring their communications.
  • The Munk Debates reminded us we have a lot to learn from our American cousins when it comes to maturely discussing an issue so fundamental to society as the appropriate balance to strike between security and privacy in a liberal democracy - never mind debates, we have barely acknowledged the subject.