Tag Archives: Rogers

Rogers and Alcatel-Lucent Proposed an Encryption Backdoor for Police - Motherboard 20160212

Rogers and Alcatel-Lucent Proposed an Encryption Backdoor for Police - Motherboard 20160212

As telecom companies prepare for the day when phone calls are counted in megabytes and not minutes, yet another contentious encryption debate is looming: how to secure subscribers' voice conversations, while balancing law enforcement’s need to eavesdrop when needed.

For Canadian telecom company Rogers and equipment maker Alcatel-Lucent (now Nokia), one option was a so-called backdoor, a secret key of sorts that could decrypt otherwise secure communications, and that theoretically only law enforcement could use.

In 2012, the two companies came up with a lawful interception proposal for a next-generation voice encryption protocol, known as MIKEY-IBAKE. The protocol was designed to protect conversations end-to-end—that is, no one sitting in the middle of a call's network connection could eavesdrop on what was being said.

Unless you were law enforcement, that is. For them, there was an exception, a backdoor. But there’s a problem with this scenario: a backdoor for law enforcement has the potential to be exploited by others, which is why, amongst security professionals, backdoors are so vehemently opposed.

"In the US, this has been the debate. Are we going to backdoor communications? We simply haven't had that debate here," said Christopher Parsons, a post-doctoral researcher at the Citizen Lab, which belongs to the University of Toronto’s Munk School for Global Affairs. "It seems as though we have carriers and vendors who are looking for ways to subvert that without bothering to deal with the politicians."

The documents detailing the Rogers and Alcatel-Lucent proposal are related todocuments analyzed last month by Steven Murdoch, a Royal Society University Research Fellow in the Information Security Research Group of University College London. Murdoch’s analysis described an encryption protocol related to MIKEY-IBAKE that had been modified—backdoored—by the UK intelligence agency GCHQ.

An excerpt from one of the documents describing Rogers and Alcatel-Lucent's proposal. Image: Screenshot/3GPP

On the one hand, telecom providers have no choice but to opt for stronger encryption (and, to be clear, this is a good thing). At present, "land-line calls are almost entirely unencrypted, and cellphone calls are also unencrypted except for the radio link between the handset and the phone network," wrote Murdoch, in his recent analysis of GCHQ’s backdoored cellular encryption scheme.

On the other, more widespread use of encryption has drawn the ire of law enforcement. The FBI famously described Apple and Google’s efforts to increase user data protections as making evidence go “dark.” And because various jurisdictions—including Canada and the US—include wiretap provisions as a condition of having access to wireless spectrum, employing protections that also stymie law enforcement isn't so cut and dry.

"These lawful intercept requirements are harming security,” Murdoch said in an interview. “They're preventing the deployment of security in order to facilitate surveillance, and that's not really a debate that's been discussed."

The Rogers and Alcatel-Lucent proposal was introduced during a meeting of the 3rd Generation Partnership Project's lawful interception working group in 2012. The 3GPP is an organization that develops standards that dictate how much of the world's cellular infrastructure works, including 4G and LTE (draft documents of the proposal are available on its website, but the final proposal is not).

At that meeting, which was held in Barcelona, Rogers and Alcatel-Lucent proposed an approach to encryption where, instead of protecting communications using a random number generator the system would use a pre-defined "pseudo-random number generator," or a secret number, that only a telecom provider or network operator would know.

Because all messages would be encrypted using this pre-determined number, anyone that discovered the number could decrypt any message they wanted.

“We're talking about fundamental aspects of how law enforcement interacts with our communications, that the extent to which we can trust the security provided to us by telecommunications providers"

The proposal was described by Parsons and fellow Citizen Lab researcher Andrew Hilts last year, in a report for the the Telecom Transparency Project (Parsons is its founder), but received little notice at the time.

"The Rogers/Alcatel-Lucent solution would let a [telecom service provider] either decrypt traffic in real time or retroactively decrypt traffic that had been encrypted using the [pseudo-random number generator]," the pair wrote in their 2015 report on the telecommunications surveillance. "As such, their proposal would effectively undermine the core security design decisions that were ‘baked’ into MIKEY-IBAKE."

"This should be a public discussion. This shouldn't be something that's buried away in a pretty cloistered standards environment,” said Parsons, who called the proposal “worrying.” Canadian Parliament has yet to engage in the sort of encryption debate currently taking place in the US.

“We're talking about fundamental aspects of how law enforcement interacts with our communications, that the extent to which we can trust the security provided to us by telecommunications providers,” Parsons continued. “And this all comes after Canada has passed numerous legislature that deals with security and surveillance, none of which, to my mind, explicitly clarify whether or not this kind of decryption on the fly would be required."

The encryption protocol proposed by Rogers and Alcatel-Lucent was actually previously rejected by the UK government's spy agency agency GCHQ for being too difficult to eavesdrop on. Instead, GCHQ proposed an alternate standard, MIKEY-SAKKE, which can be more readily intercepted. The UK government has beenpromoting adoption of the standard in both government and commercial products.

MIKEY-IBAKE, meanwhile, does not appear to have been implemented. Leonard Pesheck, a spokesperson for Nokia (which recently purchased Alcatel-Lucent), wrote in an email that "the MIKEY-IBAKE proposal we submitted to 3GPP SAE for standardization was not accepted and we therefore did not pursue product plans."

Rogers spokesperson Jennifer Kett also confirmed the company brought forward the MIKEY-IBAKE proposal, but "ultimately that proposal was not adopted."

"As you can appreciate, in order to best protect our customers and as a condition of our licenses, we don’t publicly disclose our security practices," Kett wrote in an email.

If those practices include backdoors, however, it’s only a matter of time before others disclose them first.

Ontario Superior Court - It's common sense: Canadians have a reasonable expectation of privacy in their cell phone records - 20150114

Full ruling.

THE ISSUES

The parties identified the issues as follows:

  • is there a reasonable expectation of privacy in the records ordered to be produced?
  • if there is a reasonable expectation of privacy, do Rogers and Telus have standing to assert it?
  • do the Production Orders infringe s. 8 of the Canadian Charter of Rights and Freedoms ("the Charter")? Are they overly broad? What declaration is appropriate?
  • what guidance to police and issuing justices is appropriate?

IS THERE A REASONABLE EXPECTATION OF PRIVACY IN THE RECORDS?

Common sense indicates that Canadians have a reasonable expectation of privacy in the records of their cellular telephone activity. Whether and when someone chooses to contact a divorce lawyer, a suicide prevention hot line, a business competitor or a rehabilitation clinic obviously implicates privacy concerns. The location of a person at a particular time also raises privacy concerns. Was the person at the Blue Jays game instead of at work?

Admittedly this type of information is in the vast majority of cases innocuous. It remains that in a number of cases it will be quite sensitive. It is also not tenable to reason that since only the police will be in possession of this information any sensitive information will never see the light of day. One needs only read a daily newspaper to be aware of the fact that governments and large corporations, presumably with state of the art computer systems, are frequently "hacked" resulting in confidential information being stolen and sometimes posted on-line.

I appreciate that cell phone data is not right up there with Wikileaks and Ashley Madison in terms of information likely to be hacked and published. It remains that it is information Canadians certainly regard as private. The law supports this conclusion.

First, the: relëvant statutes. The Personal Information Protection and Electronic Documents Act, S.C. 2000, C.S. ("PIPEDA"), which applies to Rogers and Telus, provides as follows:

  • b) s. 2 "personal information" means information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.
  • c) s. 3 "The purpose of this Part is to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances"

The Criminal Code, s. 492.2, requires judicial authorization, on a "reasonable grounds to suspect" standard, to install transmission data recorders, which can capture the telephone numbers of persons sending and receiving communications. This supports the conclusion that there is a reasonable expectation of privacy in this information.

The Production Orders were issued pursuant to s. 487.012(3) of the Criminal Code which provided that:

  • (3) Before making an order, the justice or judge must be satisfied, on the basis of an ex parte application containing information on oath in writing, that there are reasonable grounds to believe that:
    • an offence against this Act or any other Act of Parliament has been or is suspected to have been committed;
    • the documents or data will afford evidence respecting the commission of the offence; and
    • the person who is subject to the order has possession or control of the documents or data.

Hutchison stressed the point that tower dump orders are unusual in that, by their nature, 99.9% of the records sought will relate to innocent persons. For that reason he argued that there was a heightened need to protect the privacy interests of these individuals.

Turning to the caselaw, in R v. Mahmood, [2008] O.J. No. 3922 (S.C.), affd. [201 1] ONCA 693, 107 0.R.(3d) 641 the police were investigating a jewellery store robbery. As Quigley J. explained, the police initially sought a 'tower dump' warrant to obtain:

...name, home and business address and date of birth, date and time of call, and all telephone numbers dialed or received by the account holder. (para. 15).

The information to obtain the tower dump search warrant simply asserted that robbers commonly use cell phones. There was no case specific information to suggest the jewellery store robbers had used cell phones in the course of the robberies.

Through investigative measures independent of the tower dump records, the police identified Fundi as a suspect. He was placed under surveillance and observed frequently associating with Mähmood, and two other men Sheikh and Malik. The police then applied for a further "subscriber" warrant to obtain the cell phone records of Fundi and Malik which disclosed several calls between them around the time of the robbery and that their phones were in the vicinity of the jewellery store at the time of the robbery.

Quigley J. ruled that the "tower dump" warrant violated s. 8 and that the evidence should be excluded under s. 24(2) of the Charter. As to the expectation of privacy in "tower dump" records Quigley J. stated:

Nevertheless, while not adopting their reasons, I agree generally with Ferguson J. in R. v. MacInnis and Donnelly J. in R. v. Bryan , in their conclusions that when this kind of information is revealed or exposed in this age, recognizing the protean nature of the inquiry, it may well by the use of the technology itself, or by the application of further inquiry or technology to the raw data, expose detail of the "lifestyles" of the Applicants or information that approaches that of a biographical nature that is Charter protected. In the context of the robbery investigation that was underway, this information did disclose who and where these individuals or their cell phones were, and what numbers they or their cell phones were communicating with and how frequently, and equally importantly, when those numbers were not communicating while the robbery was in progress. It is that collated information, which when further examined and cross-referenced to other information obtained by police that could and did, in this case, reveal details of the activities and movement of the Applicants. It permitted the police here to determine that two or three of the four Applicants were in the vicinity of the robbery when it occurred, a fact that was central to their belief of their involvement in this crime.

On appeal, Watt JA. agreed that there was a reasonable expectation of privacy in the tower dump records. He did note, however, that there was a reduced expectation of privacy given that the customer name and location information was far removed from the biographical core of personal information such as intimate details of an individual's lifestyle and personal choices.

In my opinion the statutes and case law align with common sense.

Canadians have a reasonable expectation of privacy in their cell phone records.

DO TELUS AND ROGERS HAVE STANDING?

The Respondent raised a number of technical and procedural objections. The first was that there was in fact no search and seizure made pursuant to the Production Orders so that s. 8 of the Charter is not engaged and no Charter remedy is available under s. 24(1)

The Rogers and Telus Notices of Application, however, claimed various forms of relief including a declaration that the Production Orders were unreasonable and inconsistent with s. 8 of the Charter.

Rogers and Telus are simply interested in having judicial consideration of the issues raised. As such, the fact that a s. 24(1) Charter remedy may be unavailable is not an impediment to granting the declaration sought.

Secondly, the Respondent submitted that any privacy interest at stake was that of the subscribers. As such, Rogers and Telus lack standing to claim any relief.

As discussed, each subscriber has a reasonable expectation of privacy in the information sought by the PRP. Each subscriber has contracted with Rogers and Telus for an assurance that the subscribers personal information will, within certain limits, be kept confidential. It is impractical in the extreme for Rogers and Telus to give tens of thousands of subscribers notice of the fact the PRP is seeking their personal information. It is also clear, as a practical matter, that no individual subscriber would have an interest in litigating with the government over these issues.

The choice is stark. There is an issue concerning the privacy rights of hundreds of thousands of Canadians. If Rogers and Telus are correct, this legal issue can and will be addressed with opposing points of view put forward by counsel. A decision on point can provide guidance to the police and issuing justices. If the Respondent is correct, this legal issue will never be addressed and some justices of the peace will continue to grant similar production orders which, as I will later explain, are overly broad and unconstitutional.

To my mind the choice is clear. Rogers and Telus have standing to assert the privacy interests of their subscribers and are contractually obligated to do so.

ARE THE PRODUCTION ORDERS OVERLY BROAD? - DO THEY INFRINGE SECTION 8 OF THE CHARTER? WHAT DECLARATION IS APPROPRIATE?

Section 8 of the Charter provides that:

Everyone has the right to be secure against unreasonable search and seizure.

In R v. Vu [2013] 3 S.C.R. 657, Cromwell J., for the court, stated:

Section 8 of the Charter — which gives everyone the right to be free of unreasonable searches and seizures — seeks to strike an appropriate balance between the right to be free of state interference and the legitimate needs of law enforcement. In addition to the overriding requirement that a reasonable law must authorize the search, this balance is generally achieved in two main ways.

First, the police must obtain judicial authorization for the search before they conduct it, usually in the form of a search warrant. The prior authorization requirement ensures that, before a search is conducted, a judicial officer is satisfied that the public's interest in being left alone' by government must give way to the government's interest in intruding on the individual's privacy in order to advance the goals of law enforcement: Hunter v. Southam Inc., [1984] 2 S.C.R. 145, at p. 160. Second, an authorized search must be conducted in a reasonable manner. This ensures that the search is no more intrusive than is reasonably necessary to achieve its objectives. In short, prior authorization prevents unjustified intrusions while the requirement that the search be conducted reasonably limits potential abuse of the authorization to search.

The "minimal intrusion" principle embodied in s. 8 was described by Mr. Chan in Morelli and Beyond: Thinking about Constitutional Standards for Computer Searches, the Criminal Lawyers Association Newsletter, vol. 33, No. 2, as follows:

The animating policy is that the state must always be alive to the privacy interests of the individual and must always infringe such interests as little as possible.

The issuing justice did not have the benefit of the evidence before me and the legal submissions of counsel. With that benefit, I have no hesitation in finding that the Production Orders were overly broad and that they infringed s. 8 of the Charter. The disclosure of personal information the Production Orders required went far beyond what was reasonably necessary to gather evidence concerning the commission of the crimes under investigation. For example, the Production Orders:

  1. required production of information relating not only to the cell phone subscriber proximate to the crime scene but also the personal information and location of the other party to the call who may have been hundreds or thousands of miles removed from the crime scene;
  2. required production of bank and credit card information which, if it had any relevance at all in locating an individual, could have been sought in a follow-up application for a small number of actual suspects (i.e.) a person whose cell phone was proximate to multiple crime locations; and
  3. required production of personal information pertaining to over 40,000 subscribers when all the police were really interested in was information, which could have been provided in a report, listing the few individuals, if any, utilizing a cell phone proximate to more than one robbery location.

I,therefore, make the requested declaration that the Production Orders authorized unreasonable searches and so breached the s. 8 Charter rights of the Rogers and Telus subscribers. As the Production Orders have been revoked nothing would be gained by addressing the further issue of whether the Production Orders also violated the rights of Rogers and Telus.

I will also comment briefly on the submission by Mr. Hutchison that the issuance of an overly broad order requires the police and the target of the order to negotiate a compromise as to what should be produced and that this constitutes an improper delegation of the issuing justice's authority. I agree that an overly broad order is unacceptable and, as I will discuss, I adopt certain guidelines directed at focusing orders to minimize the intrusion on personal information.

If these guidelines are followed there will no doubt continue to be cases in which compliance with the production order will be more onerous than the police could have contemplated. Circumstances may change as an investigation proceeds which will affect the scope of the information required. In that context, communication between the police and the target of the order should be encouraged as it will further serve the principle of minimal intrusion.

WHAT GUIDANCE TO POLICE AND ISSUING JUSTICES IS APPROPRIATE?

Rogers and Telus also:

ask that the court take the opportunity to provide law enforcement, issuing justices and companies such as the Applicants with guidance as to reasonable parameters for properly confining these types of expansive searches.

Mr. Hubbard submitted, and I agree, that any "guidance" I offer should not be regarded as "bright-line rules", in the nature of conditions precedent, that must be strictly followed before a production order can be issued. Having said that, there are recurring fact patterns that emerge when the police seek tower dump production orders. It follows that there are recurring constitutional considerations which should inform the decision of the issuing justice.

I also note that police services have an obligation to conduct themselves in a Charter compliant manner. It is, therefore, improper for the police to seek irrelevant personal information and rely solely on the issuing_justice to ensure constitutional compliance. It remains, of course, that it is up to the issuing justice to adhere to legislative and constitutional requirements.

The Applicants request judicial guidance. The Respondents filed the affidavit of Detective Cole, who believes that such guidance would assist the police in obtaining 'privacy enhanced' production orders. l, therefore, conclude that it is appropriate to identify "guidelines" which I distill from the evidence and the submissions of counsel.

Hutchison framed his suggestions as "constitutional imperatives". Mr. Hubbard framed his suggestions as "best practices". There was, significant common ground.

Hutchison submitted that:

To be constitutionally sound, tower dump orders should at a minimum be limited in the following ways:

  • There should be grounds to believe that all the information sought will meet the standard prescribed by the Criminal Code, namely that the information sought "will afford evidence respecting the commission of the offence". If, for instance, the CNA [customer name address] information, the billing information, or the resulting records would not serve that purpose, they should not be obtained;
  • To the extent possible, the scope of the data obtained should be narrowed by resorting to an incremental approach. For instance, subscriber information should generally be excluded from an initial tower dump authorization;
  • The scope of the data sought should be narrowed to the extent possible in view of the information available to police. For instance, the relevant window of time should be as narrow as the information available allows;
  • The total amount of data that is reasonably anticipated to be produced in response to the order should not in itself be unreasonably large; and
  • The order should limit the subsequent retention, use and disclosure of the data by police, having in mind that almost all of it will not have anything to do with the offence they are investigating.

Hubbard identified five "best practices":

  1. Adherence to the statutory requirements - The application and the issuing judicial officer should ensure that there are grounds to believe that all the information sought will meet the standard prescribed by the Code in relation to the specific type of Production Order sought.
  2. Case specific inquiry — Efforts should be made to tailor a specific tower dump production order, as much as possible, to the specific requirements of a given case.
  3. Incremental approach — To the extent possible, the scope of the data obtained should be narrowed by resorting to an incremental approach.
  4. Narrowing the scope of requested information — The scope of the data sought should be narrowed to the extent possible in view of the information available to police.
  5. Requesting a report where possible — Where applicable, investigators should consider seeking production of a document based on the requested data, and not the underlying data itself.

Hutchison's first and third constitutional imperative and Mr. Hubbard's first, second and fourth best practice simply remind of the necessity of adhering to statutory requirements in light of the case specific evidence. While important, I need not discuss them further.

Hutchison's third constitutional imperative, that there be an incremental approach to production, mirrors Mr. Hubbard's third best practice. I agree that an incremental approach is supported by the principle of minimal intrusion which animates s. 8 of the Charter. One aspect of this, as referred to by Detective Cole, is that the police should not seek such a large amount of personal information that it cannot be meaningfully reviewed.

Hutchison's fourth constitutional imperative is that the total amount of data sought not be unreasonably large. Mr. Hubbard submits that an absolute restriction based on the volume of material is unworkable. I agree.

The starting point is that if the police and the issuing justice focus on the statutory requirements and the principle of minimal intrusion, the resultant production order will be no more extensive or onerous than is reasonably necessary in order to investigate the crime in question. Further the police, and therefore, the, issuing justice, will only have a very general and perhaps inaccurate conception of how much personal information will be captured by a particular production order and how much effort will be required to comply with the order. To ask the issuing justice to speculate as to how onerous it would be to comply with a requested order, and impose a cap on that basis, would be arbitrary and contrary to the best interests of the administration of justice.

It remains that anyone in the position of Rogers and Telus, who wishes to oppose a production order on the basis that it is unreasonable, or unduly onerous, can request a variance of, or exemption from, the order under what is now s. 487.0193 of the Criminal Code.

At the time the Production Orders were sought, s. 487.012(1) of the Criminal Code provided that a production order could compel a person to prepare and produce a document based on documents or data already in existence. This provision was repealed and replaced by s. 487.014 which is similar. I think that Mr. Hubbard's fifth best practice, that investigators consider seeking a report based on specified data, and not the underlying data itself, is particularly helpful. Consider the common scenario in which a tower dump order is sought to attempt to identify individuals proximate to multiple crime scenes. The underlying data may relate to where tens of thousands of individuals were at a particular time and who they communicated with. The report, however, would only identify the very few individuals, if any, who happened to be proximate to more than one crime scene.

Hutchison also suggests that tower dump production orders must address the retention, use and disclosure of tower dump data seized by the police. Certainly, there is much to be said in favour of statutory provisions and business-administrative practices which address the question of how much personal information should be retained and for how long. For example, PIPEDA, which by its terms does not apply to the police, incorporates the Canadian Standards Association Model Code for the Protection of Personal Information which identifies governing principles, including the following:

45.3. Personal information that is no longer required to fulfill the identified purposes should be destroyed, erased or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information.

Legislators have been active in enacting privacy legislation. To date, however, no legislation addresses the retention of tower dump records nor other more invasive collections of personal information such as wiretap evidence. On the record before me, I do not think it would be appropriate to offer guidance on post-seizure safeguards. Hearing from all interested parties and determining whether and to what extent safeguards are required is best left to legislators.

Mr. Hutchison also submitted that the guidance I provide should include that tower dump orders only be used, "as a last resort, where traditional investigative techniques have failed". In support he cited Justice Brian Owsley's article: The Fourth Amendment Implications of the Government's Use of Cell Tower Dumps In Its Electronic Surveillance, Journal of Constitutional Law, Oct.2013, Vol. 16:1 .

I do not accept this submission for two reasons. First, whether to impose this type of general requirement, which imposes strictures on how the police investigate crime, is properly and best left to Parliament. Secondly, where Parliament has seen fit to impose an investigative necessity requirement it has made this clear. For example, s. 186(1)(b) of the Criminal Code makes it a condition precedent, to an authorization to intercept a private communication:

(b) that other investigative procedures have been tried and have failed, other investigative procedures are unlikely to succeed or the urgency of the matter is such that it would be impractical to carry out the investigation of the offence using only other investigative procedures.

SUMMARY AND CONCLUSION

Introduction

The guidelines which I now provide reflect the fundamental principles of incrementalism and minimal intrusion. They are guidelines and not conditions precedent. The statutory requirements are now set out in s. 487.014 of the Criminal Code.

While I am only able to grant declaratory relief, these guidelines should become known and should make a difference. There is an obligation on the part of the police and the issuing justices to know the law, as I have explained it. Given that a production order is obtained on an ex parte basis, there is also obligation on the police to make full, fair and frank disclosure. (See R v. Araujo, [2000] 2 S.C.R. 992, at paras. 46-47). This would encompass explaining clearly in the information to obtain how requested data relates or does not relate to the investigation.

Guidelines for Police

The police should include in the information to obtain a production order:

  • One — a statement or explanation that demonstrates that the officer seeking the production order is aware of the principles of incrementalism and minimal intrusion and has tailored the requested order with that in mind. — An awareness of the Charter requirements is obviously essential to ensure that production orders are focused and Charter compliant.
  • Two — an explanation as to why all of the named locations or cell towers, and all of the requested dates and time parameters, are relevant to the investigation. — This obviously flows from what is now the s. 487.014(2)(b) Criminal Code requirement that there be reasonable grounds to believe that the documents or data requested will afford evidence respecting the commission of the offence.
  • Three — an explanation as to why all of the types of records sought are relevant. - For example, the Production Orders sought bank and credit card information, and information as to name and location of the party to the telephone call or text communication who was not proximate to the robbery location. This information was clearly irrelevant to the police investigation.
  • Four — any. other details or parameters which might permit the target of the production order to conduct a narrower search and produce fewer records. For example, if the evidence indicates that a robber made a series of calls lasting less than one minute this detail might permit the target of the order to narrow the search and reduce the number of records to be produced. If the evidence indicates that the robber only made telephone calls then there may be no grounds to request records of text messages. (Although the use of voice recognition software may make it difficult to distinguish between a person making a telephone call and a person dictating a text message.)
  • Five — a request for a report based on specified data instead of a request for the underlying data itself. — For example, in this case a report on which telephone numbers utilized towers proximate to multiple robbery locations would contain identifying information concerning only a small number of robbery suspects and not the personal information of more than 40,000 subscribers which the Production Orders sought. This would avoid the concern expressed by Mr. Hutchison that 99.9% of vast amounts of tower dump personal information relates to individuals who are not actually suspects.
  • Six — If there is a request for the underlying data there should be a justification for that request. — In other words, there should be an explanation why the underlying data is required and why a report based on that data will not suffice.
  • Seven — confirmation that the types and amounts of data that are requested can be meaningfully reviewed. — If the previous guidelines have been followed the production order should be focused which will minimize the possibility of an order to produce unmanageable amounts of data. This confirmation does, however, provide an additional assurance of Charter compliance.

Guidelines for Issuinq Justices

The guidelines for issuing justices flow from the guidelines for police. Issuing justices should generally insist upon the police providing the information, confirmations and explanations outlined in the Guidelines for Police. Doing so will focus the scope of the production order and ensure that production orders conform to both the requirements of the Criminal Code and the dictates of the Charter.

Conclusion

I thank counsel for their helpful submissions in relation to this important and topical matter.

Sproat, J.

Released: January 14, 2016

CCLA - Canadians' right to privacy in cell phone data confirmed by Ontario court - 20160115

CCLA - Canadians' right to privacy in cell phone data confirmed by Ontario court - 20160115

iStock_000034679460_Large

In a notable win yesterday for privacy, the Ontario Superior Court ruled that police requests to Rogers and Telus for the personal information of over 40,000 subscribers was a violation of their Charter rights.

In April 2014, Peel Regional Police, as part of an investigation into a series of jewelry store robberies, obtained a production order for a “tower dump”—it asked Rogers and Telus to turn over customer information from all cellphones that accessed every cell tower near to 21 different municipal addresses. The two companies estimated that this would include the personal information of at least 9000 Telus subscribers, and 34,000 Rogers’ subscribers, including information about call recipients and subscriber billing information. The orders also did not specify how this customer information about thousands of innocent people would be safeguarded.

The two companies felt this was excessive, amounting to a violation of section 8 of the Charter that protects against unreasonable search and seizure; in deciding to hear the case, Justice John Sproat of the Ontario Superior Court noted that individual subscribers lack the means to raise this issue, and that “The privacy rights of the tens of thousands of cell phone users are of obvious importance.”

Today’s decision is significant for a number of reasons:

  1. The decision confirms that telecommunications companies have a contractual obligation to keep subscriber information confidential. They must protect their customers’ information from undue intrusion.
  2. The decision explicitly declares that “Canadians have a reasonable expectation of privacy in their cell phone records.”
  3. Overly broad production orders for cell phone subscriber information are declared, clearly and pointedly, to be unconstitutional.

Justice Sproat includes a series of guidelines for police detailing the information that should be included in the information to obtain a production order. This includes demonstrating that the principles of incrementalism and minimal intrusion have been duly considered in making the request; explaining why all information requested—locations, towers, dates, times, and types of records– is relevant to the investigation; providing details that might permit the search to be narrowed; limiting requests when feasible to ask for a report on the specified data rather than all of the underlying data, or, if this is insufficient, justifying any need for underlying data; and confirming that the data can be meaningfully reviewed.

The Justice declined to provide guidance on appropriate safeguards for retention, storage and deletion of data obtained from these production orders, suggesting that this would require legislation and that it should be left to parliament to enhance existing privacy laws. He further declined to limit police use of tower dumps, again noting a need for legislation before limiting investigative practice, and citing the example of s. 186(1)(b) of the Criminal Code as an example of where legislation explicitly limits the ability to intercept private communications by imposing a high standard of investigative necessity for the practice.

This decision is an important counter to the increasingly popular belief that more information is always better in investigative contexts, be they law enforcement, national security, or even in relation to the private sector’s collection and use of personal information. To the contrary, CCLA has always maintained that information collection should be proportionate to the purpose, and undertaken in a way to minimally impair privacy. This judgement comes down soundly in favour of these important privacy principles.