Parliament should be cautious before passing laws forcing organizations and people to open encryption systems, say Canada’s privacy commissioners.
In a unanimous submission Tuesday to the federal government’s public consultation on Canada’s national security framework, the federal, provincial and terriroial commissioners urged Ottawa to look for “technical solutions which might support discrete, lawfully authorized access to specific encrypted devices, as opposed to imposing general legislative requirements. At the same time, an open dialogue with the technical community, industry, civil society and privacy experts including the OPC (office of the privacy commissioner) could provide valuable input.
“However, if the government feels that a legislative solution is required, we believe that amendments should reflect and articulate the principles of necessity and proportionality, so as to narrow how much information is decrypted, and that such extraordinary measures should be used as a last resort.”
Organizations and residents have until Dec. 15 to file submissions to the government.
Related link: Ottawa announces public consultation on cyber security strategy
A number of Canadian and international police departments have worried publicly about the ability of criminals to encrypt data, particularly on mobile devices, to escape prosecution. Public demand for encryption devices has risen since the revelations of U.S. whistleblower Edward Snowden that American intelligence agencies are huge consumers of data, some of which may have been collected illegally. This has lead some politicians to demand hardware and software manufacturers install backdoors to encryption technology. Earlier this year the FBI tried to convince Apple to install an altered version of its operating system on a seized iPhone so it could be unlocked.
But cyber security experts warn that a backdoor for a law enforcement or intelligence agency is also an opening for any criminal or nation state.
Public Safety Canada’s discussion paper for those thinking of making a submission doesn’t take a stand, but does note there is currently no legal procedure designed to require a person or an organization to decrypt their material.
The privacy commissioners admit the use of encryption is complex, for the technology can also be legitimately used by organizations to properly protect sensitive corporate and customer data and therefore encourage trust.
“Other countries legislating in this domain have sought to avoid many of those risks through more flexible regulatory approaches or more principle-base, tech-neutral law,” says the privacy commissioners’ report. “For example, in recent years EU states have taken distinct and differing approaches in policy and law, either ruling out backdoor requirements as too great a risk for data protection and security (the Netherlands), opting to legislate specific powers for investigative orders where encryption is encountered – backed by heavy fines (France), or requiring plaintext from companies pursuant to court orders (the U.K.).”
Canada has some rules which may help law enforcement agencies, the report adds. The new Protecting Canadians from Online Crime Act changed the Criminal Code to allow a judge to attach an assistance order to any search warrant, interception order, production order or other form of electronic surveillance which can compel any named person to help “give effect” to the authorization. Such orders have been used in investigations to defeat security features or compel decryption keys in publicly-reported incidents in other countries.
However, the commissioners admit that such orders raise untested questions about individuals possibly incriminating themselves under the Charter of Rights.
The report also notes there are federal regulations obliging telecommunications carriers to build in surveillance capability, retain communications metadata and provide decrypted content — if possible — to government upon request. If these requirements are not being properly implemented or enforced the report says Ottawa needs to explain exactly where these standards fall short and why they need modification.
While Ottawa wants to review its national security framework “the focus cannot be only on addressing challenges faced by national security and law enforcement agencies,” the report warns. “National security agencies have an important and difficult mandate in protecting all Canadians from terrorist threats, and we believe they generally strive to do their work in a way that respects human rights. But history has shown us that serious human rights abuses can occur, not only abroad but in Canada, in the name of national security.
“In order to ensure our laws adapt to current realities, it is important to consider all that we have learned before and after [the 9/11 attacks in the U.S. in] 2001, including the revelations of Edward Snowden regarding mass surveillance, other known risks regarding the protection of privacy and human rights such as those identified during commissions of inquiry, as well as recent terrorist threats and incidents. Key lessons from this history are that the legal framework should include clearer safeguards to protect rights and prevent abuse, that national security agencies must be subject to effective and comprehensive review, and that new state powers must be justified on the basis of evidence.’
Among other recommendations in the report
–Existing standards allowing police to access metadata of customers of telecom and Internet providers should be tightened and that privacy protections should be enhanced. In 2014 the Supreme Court of Canada said police and intelligence agencies need a search warrant to get metadata. The 2015 Bill C-13 has lowered the threshold somewhat by requiring police to only have “reasonable grounds to suspect” an offence, says the report. The government’s discussion paper suggests metadata should be available to law enforcement more easily than under current laws to help investigations.
But, say the privacy commissioners, “we have not seen evidence why these [existing] provisions do not give law enforcement adequate tools to do their job. The government is proposing to further reduce safeguards. It has a duty to provide precise explanations as to why existing thresholds cannot be met and why administrative authorizations to obtain metadata, rather than judicial authorizations, sufficiently protect Charter rights absent exigent circumstances.”
Because metadata can reveal personal information Parliament might direct the collection of metadata should be a last resort, the report suggests, or limited to serious crimes where public safety interests may outweigh potential risks to privacy.
–Forcing Canadian-based carriers and service providers to hold customer metadata and data for an extended period of time isn’t needed. Judges can already issue preservation demands to any organization to hold information for 21 days, the report notes, and orders to preserve information for three months. “We have not seen evidence why these tools do not work.” Introducing a broad retention requirement not only impedes on human rights it also increases the risks of breaches to that personal information held by police. “Retention requirements, if any, should be scoped narrowly, focussing on serious crime only, and should be for the briefest period of time possible.”
–Ottawa should reconsider provisions under Bill C-51 that allow federal departments to share personal information deemed merely “relevant” to the detection of new security threats. “Setting such a low standard is a key reason the risks to law abiding citizens are excessive,” federal privacy commissioner Daniel Therrien said in a statement. “If ‘strictly necessary’ is adequate for CSIS (the Canadian Security Intelligence Service) to collect, analyze and retain information, it is unclear to us why this cannot be adopted for all departments and agencies involved in national security.