As it inches toward a majority in Parliament, the Liberal government is signaling its intention to move ahead with the controversial parts of the Strong Borders Act it chose to shelve back in October — in response to strong opposition from the other parties.
I’ve written about the various privacy-invasive powers in the bill briefly here, and in more detail here.
Last week I had the pleasure of attending a roundtable with the Honourable Minister of Public Safety, Gary Anandasangaree, who asked for ideas about how to improve the bill.
Here are five:
1. Narrow the new “information demand” power to big telcos and only to confirming an account
The bill would amend the Criminal Code to allow police, without a warrant, to demand from any person who “provides services to the public” — a doctor, psychiatrist, or dating app — details about the services they delivered to a particular client or account holder, such as where, when, and how often they provided the service.
The Supreme Court of Canada, hearing a Charter challenge to this, would likely find the scope of this power to be too broad, and the privacy interest it engages to be too high, to strike a reasonable balance between law enforcement and personal privacy. I would think anything less than a warrant on probable grounds would be a tough sell here.
Police say they want this power to be able to quickly ask Shaw, Telus, or Rogers to confirm whether an IP address of interest is connected to an account they host. If that’s what the police want, then why not just narrow this power down to that? Make it applicable only to large electronic service providers and only allow police to demand a yes or no answer to the question: does the user with this IP address have an account with you?
That, on reasonable suspicion alone, might fly.
2. Narrow the scope of the new subscriber ID production order and/or raise the standard
The bill attempts to fill a gap left in the wake of the Spencer decision, which held that the police need authority in law to demand the subscriber ID attached to an IP from a telco like Shaw. The Court held that we have a high privacy interest in this information, given how readily this can connect us with our search history online.
But it’s been unclear since Spencer what a ‘reasonable law’ authorizing this demand would require. To obtain subscriber ID, police have been using the ‘general production order’ power on probable grounds (in section 487.014 of the Code). The bill creates a dedicated subscriber ID production order obtainable on reasonable suspicion. Will this stand, given how high the Court in Spencer assessed the privacy interest at stake here to be? But wait, there’s more.
The new power would work together with another important change. The bill adds a new section of the Criminal Code, which states: “subscriber information means, in relation to any client of a person who provides services to the public… information related to the services provided to the subscriber or client, including (i) the types of services provided, [and] (ii) the period during which the services were provided”.
In short, the new production order for subscriber ID would give police much of the same info about a person as with the “information demand” — except where services were provided. It would engage an even higher privacy interest than what was contemplated in Spencer. A warrant on reasonable suspicion is arguably not enough to constitute a reasonable law here It should be probable grounds.
Parliament should amend the definition of “subscriber information” to narrow the ambit of what can be obtained. Limit it to simply: user name, pseudonym, address, telephone number and email address. Or, amend the order provision itself to require probable grounds — which would be redundant, since the current ‘general production order’ already does this. (But it does this for a good reason: see above.)
3. Don’t reduce the time limit for challenging a production order so drastically
The bill sets the periods for challenging new information demands and production orders for subscriber ID at 5 days. Within that time frame, you must comply or file a court challenge (a review). Currently, production orders give recipients 30 days. Many will find this challenging, thus watering down an important accountability mechanism that helps make these powers reasonable, especially where they allow police to obtain a warrant on reasonable suspicion rather than probable grounds.
Time limits for challenging orders in new powers might be less than 30 days but more than 5. How about 14 days? And not from the time the order was made, but from the time order was received.
4. Rule out back doors to encryption
The bill’s new “Supporting Authorized Access to Information Act” (SAAIA) contains broad powers to compel electronic service providers to make technical modifications that give law enforcement direct access to private data. The bill states that no provider can be compelled to bring about “systemic vulnerabilities” in “electronic protections.” But it allows the Minister to define what constitutes a “systematic vulnerability,” as well as other key terms such as “encryption” or “authentication.”
The bill should be amended to define these terms to rule out compelled decryption. Australia’s Act defines them. We should adopt their definitions.
5. Subject the Minister’s powers under the Act to independent oversight
Under the SAAIA, the Minister can order technical modifications — or make regulations about them — without having to first obtain an independent assessment of their necessity and proportionality. The Act also imposes sweeping secrecy requirements over ministerial measures, without the need to justify them before a court. And the Minister isn’t obliged to report to Parliament about how the powers are being used.
One concern is that some measures could inadvertently result in real-time interceptions without a warrant. Another concern is that a telco might discover a weakness in relation to a given measure and not be able to share it with other telcos to avoid readily foreseeable harm to people’s privacy.
The bill should be amended to set out factors the Minister must consider before imposing measures on any provider, such as their impact on privacy and cybersecurity. The Minister should have to obtain the Privacy Commissioner of Canada’s approval of any specific measures he or she seeks to impose. Confidentiality orders should require court approval. And the Minister should have to report annually to Parliament on the use of powers under the act.
An inclusive process?
It’s good to see the government seeking input on C-2 from people outside the Department of Justice, the RCMP, and CSIS. It would be even better to see most of not all of these changes made when the bill returns early next year.