Critics of the bill are right to be concerned, so why the curious silence in the government’s Charter Statement?
Shortly after tabling bill C-2 in June, which I’ve written a few posts about, the government tabled Bill C-8, the Cyber Security Act. It too raises serious concerns about privacy but hasn’t attracted nearly as much attention.
In broad terms, the bill does two things. It amends telecommunications law to allow the Minister of Industry to order telcos like Shaw and Telus to make changes to their systems to bolster security and investigate breaches. It also creates a new framework for protecting “critical cyber systems” that support infrastructure like pipelines, banking networks, and commercial telecommunications.
With the bill now at second reading, digital rights advocates have argued before a standing committee that portions of the first part of the bill are especially concerning and likely violate section 8 of the Charter, which guarantees the right to be secure against unreasonable search or seizure.
The nub of the issue is the power in bill C-8 to order a telco like Shaw to do something that might involve the incidental collection of personal information or its disclosure to an agency like the Communications Security Establishment (CSE) investigating a cyberbreach.
To make this more vivid, consider the testimony of Simon Noël, Intelligence Commissioner of Canada, before the committee in October, where he said:
In my experience as IC—with over three years and 45 decisions rendered—for the CSE to analyze and understand a cyber-incident, it must have access to information about the incident. There may be situations where this information is only technical in nature and sharing it with the CSE raises no privacy concerns, as you were told when you met with other witnesses. However, to fully understand the cyber-incident, other situations may require the CSE to have access to information, including technical information, for which Canadians have a reasonable expectation of privacy. I’ve seen it. … I agree that it’s technical information, but I also know that if you want a positive result on an incident of such importance, they need to go into the content. I’ve seen it in every cyber-operation I’ve been involved in.
Critics of the bill point out important gaps in C-8 that fail to address the Commissioner’s concerns. They note features of the bill that might even make problems worse.
Power without accountability?
One section of the bill allows the government to order a telco to do any “specified thing” considered on reasonable grounds to be necessary for securing Canada’s telecommunications networks. Another prevents ordering a telco from intercepting “private communications” as this is defined in the wiretap sections of the Criminal Code. But this, the critics say, wouldn’t preclude an order allowing for the collection of metadata — for example, the date and time I sent emails to a certain address, called certain numbers, or even visited certain websites. Information we know to be highly sensitive.
The Minister can also require a telco to “provide… any information” the Minister has reasonable grounds to believe is “relevant” to making a security-related order. This info can be shared with a host of government agencies, including Foreign Affairs, CSIS, the CSE, or with a foreign government — though it must be treated as confidential and shared only for the purpose of “securing the Canadian telecommunications system or the telecommunications system of a foreign state, including against the threat of interference, manipulation or disruption.”
Rights advocates argue that the power to compel “any information” — which might include metadata — amounts to an unreasonable search under section 8 of the Charter because it doesn’t require a warrant. It should require one, they argue, on the standard of necessity and proportionality, if not on probable grounds.
They also flag a host of other concerns. The bill contemplates imposing ‘deep packet inspection’ capabilities onto telcos, enabling the content of our communications to be scanned. It’s not clear that the bill rules out compelling decryption. It also permits orders cutting off a person’s internet access without explanation, and blocking access to websites without public notice. It contains limited review provisions. Much that is less than ideal.
But does it engage the Charter?
In its Charter Statement for Bill C-8, the government is curiously silent on the section 8 implications of incidentally gathering and sharing metadata, let alone the possible scanning of content. The Statement deals only with a search or seizure carried out against Telus or Shaw to ensure compliance with a ministerial order.
I agree with critics of the bill that the parts of it they flag would likely violate section 8. But in the rest of this post, I want to address an argument the government might make in defence of these powers under the Charter.
As Kate Robertson of CitizenLab has noted in relation to the metadata that could be gathered under C-8, “there is no reasonable dispute that these information sources carry significant privacy interests.”
But does our privacy interest in this info extend to measures the government takes strictly to secure the system from cyber attacks?
Put differently: could the government argue that powers allowing the incidental gathering and sharing of personal info are constitutional because they do not target individuals for an investigative purpose?
When is section 8 engaged?
Section 8 is clearly engaged when a state actor interferes with a reasonable expectation of privacy for an investigative purpose related to a possible criminal or regulatory offence. This is most of the Supreme Court of Canada’s case law on section 8.
But in many cases, the Court decides whether there has been an interference with a privacy interest — and thus a search or seizure — by first distinguishing between things to which we did or didn’t implicitly consent. And this is where the investigative purpose, or lack thereof, becomes important.
The most notable example might be R v Evans. Police knocked on Evans’ front door with the intention of seeing if they could smell the odour of marijuana emanating from inside. Because they had this intent from the outset, police exceeded the limited waiver of privacy entailed in the implied invitation to knock and thus carried out a search.
Put more generally, courts say that any state interference with privacy constitutes a search under section 8, but often find that things done for a non-investigative purpose don’t entail an interference. The thing was either not private (because you implicitly consented to it being done) or the state action didn’t amount to an intrusion.
In their submissions to Parliament, rights advocates are correct to assert that parts of the bill may violate section 8 because they give rise to state action that interferes with something over which we have a reasonable expectation of privacy (i.e., collecting, inspecting, sharing our metadata).
But could a court find that C-8’s privacy invasive measures do not amount to a search or seizure by taking the view that they don’t in fact “interfere” with our privacy — given the law’s non-investigative purpose?
Constitutional privacy beyond investigation
The state often gathers our private information without engaging section 8 because it does so without an investigative or audit-like purpose: for example, in the delivery of health care or the administration of the income-tax system. Courts would hold in these cases that there’s no search or seizure because the collection doesn’t interfere with a reasonable privacy interest. You either consent to have your medical info gathered or it isn’t reasonable to assert a privacy interest against the state in info about your income for tax reporting purposes.
The key point is this: whether the info is private under section 8, or whether its collection amounts to an interference, depends on the purpose for which the state acts. Something will retain a reasonable privacy interest (our blood, our data) if the state acts with an investigative or audit-like purpose — if the state is seeking to learn something about a person to hold them to account for a possible breach of the law. But where the state acts for some other purpose, courts consistently say either that it wasn’t private or it wasn’t an interference.
Two quick examples.
In R v Dyment, a doctor took a blood sample from a patient without his knowledge or consent following a car accident. A majority held that the patient had impliedly consented to a sample being taken for medical purposes and for those alone. It became a seizure under section 8 when the doctor gave the sample to a police officer who received it for an investigative purpose.
R v Cole (2012) presents a closer parallel to Bill C-8. A school board technician found pictures of a student while conducting maintenance on a teacher’s work-issued laptop, and turned the computer over to the principal who turned it over to police. Justice Fish, for the majority, made the broad statement that
As Mr. Cole had a reasonable expectation of privacy in his Internet browsing history and the informational content of his work-issued laptop, any non-consensual examination by the state was a “search”; and any taking, a “seizure”.
Yet, as Justice Fish notes, Cole conceded that the “initial inspection of the laptop by the school technician in the context of routine maintenance activities… did not breach his s. 8 rights.” The Court of Appeal for Ontario explained why:
…the technician was accessing the appellant’s laptop for the limited purpose of maintaining the network. The technician found the images in the course of his legitimate access to the computer. Therefore, the appellant had no expectation of privacy with respect to this limited type of action. Since there was no reasonable expectation of privacy with respect to the technician’s actions, s. 8 of the Charter was not engaged.
It wasn’t until the tech handed the laptop over to the principal — who examined it with an investigative purpose — that Cole’s rights under section 8 were engaged.
What about cybersecurity?
I think a court would consider the incidental collection of metadata or even scanning for deep packet inspection to be an interference with our private information — if it were to find that our info was private against this kind of intrusion. The big question here is whether a court would treat cybersecurity measures as akin to the “routine maintenance activities” in Cole.
Would courts assume that we implicitly consent to such measures, or that it is unreasonable to assert a privacy interest against them, because the collection and sharing are merely incidental to safeguarding the system?
To be clear, the moment personal info gathered under C-8 is used for an investigative purpose against an individual, section 8 would be engaged. We neither consent to this use nor reasonably expect it to occur.
Even so, I agree with critics of the bill that incidental collection and sharing of personal info here would still violate section 8. The reason is simple: the powers in C-8 to share info among domestic agencies and foreign governments are so broad — despite the need that it be kept confidential and used only for the purpose of cybersecurity — that it’s impossible to draw a principled line between investigative and non-investigative use.
If info uncovered in a cybersecurity were later used to prosecute a hacker, was the audit about securing the system or investigating crime? The bill offers no clear answer.
I also agree with another argument critics of the bill — including the Privacy Commissioner of Canada — make. The powers in C-8 at issue conflict with the letter, if not the spirit, of quasi-constitutional provisions in privacy legislation such as PIPEDA, the CSE Act, the CSIS Act. These laws impose important safeguards that are notably absent here. Bill C-8 should be amended to bring it into closer conformity with those protections, if not with the Charter itself.
Happy holidays!