Tag: Canada

Categories
Writing

Uber and the Limits of Privacy Law

When was the last time that you thought long and hard about the information companies are collecting, sharing, and selling about you? Maybe you thought about it after reading some company had suffered a data breach or questionably used your data, and then set the worries out of your mind.

What you may not know is that most contemporary Western nation-states have established data protection and privacy legislation over the past several decades. A core element of these laws include data access rights: the right for individuals to compel companies to disclose what information the companies have collected, stored, and shared about them.

In Canada, federal commercial privacy legislation lets Canadian citizens and residents request their personal information. They can use an online application to make those requests to telecommunications companies, online dating companies, or fitness wearable companies. Or they can make requests themselves to specific companies on their own.

So, what happens when you make a request to a ride sharing company? A company like Uber? It might surprise you but they tend to provide you with a lot of information about you, pretty quickly, and in surprisingly digestible formats. You can see when you used a ride sharing application to book a ride, the coordinates of the pickup, where you were dropped off, and so forth.

But you don’t necessarily get all of the information that ride sharing companies collect about you. In the case of Uber, the company was recently found to be fingerprinting the phones its application was installed on. There’s some reason to believe that this was for anti-fraud purposes but, regardless, the collection of that information arguably constitutes the collection of personal information. Per Canadian privacy legislation, such information is defined as “information about an identifiable individual” and decisions by the Commissioner have found that if there is even an instant where machine identifiers are linked with identifiable subscriber data, that the machine identifiers also constitute personal information. Given that Uber was collecting the fingerprints while the application was installed, it likely was linking those fingerprints with subscriber data, even if only momentarily before subsequently separating the identifiers and other data.

So if Uber had a legal duty to inform individuals about the personal information that it collected, and failed to do so, what is the recourse? Either the Federal Office of the Privacy Commissioner of Canada could launch an investigation or someone who requested their personal information from Uber could file a formal complaint with the Office. That complaint would, pretty simply, argue that Uber had failed to meet its legal obligations by not disclosing the tracking information.

But even if Uber was found to have violated Canadian law there isn’t a huge amount of recourse for affected individuals. There aren’t any fines that can be levied by the Canadian federal commissioner. And Uber might decide that it doesn’t want to implement any recommendations that Privacy Commissioner provided: in Canada, to enforce an order, a company has to be taken to court. Even when companies like Facebook have received recommendations they have selectively implemented them and ignored those that would impact their business model. So ‘enforcement’ tends to be limited to moral suasion when applied by the federal privacy commissioner.1

But the limits of enforcement only strike to a part of the problem. What is worse is we only know about Uber’s deceptive practices because of journalism. It isn’t because the company was forthcoming and proactively disclosed this information well-in-advance of fingerprinting devices. Other companies can read that signal and know that they can probably engage in questionable and unlawful practices and have a pretty low expectation of being caught or punished.

In a recent article published by a summer fellow for the Citizen Lab, Adrian Fong argued that enforcing data protection and privacy laws on individual private companies is likely an untenable practice. Too few companies will be able to figure out how to deal with data access requests, fewer will be inclined to respond to them, and even fewer will understand whether they are obligated to respond to such requests or not in the first place. Instead, Fong argues that application stores — such as Google’s and Apple’s respective App stores — could include comprehensive data access rights as part of the contracts that app developers agree to with the app store owners. Failure to comply with the data access rights aspect of a contract could lead to an app being removed from the app store. Were Google and Apple to seriously implement such a practice then their ability to remove bad actors, such as Uber, from app stores could lead to a modification of business practices.

Ultimately, however, I’m not certain that the ‘solution’ to Uber is better privacy law. It’s probably not even just better regulation. Rather, ‘solving’ for companies like Uber demands changing how engineers and business persons are educated and trained, and modifying the grounds under which they’re rewarded and punished for their actions. Greater emphases on ethical practices and the politics of code need to be ingrained in their respective educational curriculum, just as arts and humanities students should be exposed in more depth to the hard sciences. And engineers, generally, need to learn that they’re not just solving hard problems such as preventing fraudulent rides: they’re also embedding power structures in the code they develop, and those structures can’t just run roughshod over the law that democratic publics have established to govern private behaviours. Or, at least, if they run afoul of the law — be it national data protection law or contract law — there will at least be serious consequences. Doing otherwise will simply incentivize companies to act unethically on the basis that there are few, or no, consequences for behaving like a bad actor.

NOTE: this was originally posted to Medium.

  1. 1 Some of Canada’s provincial commissioners do have order making powers. ↩︎
Categories
Links Writing

Why We Need to Reevaluate How We Share Intelligence Data With Allies

Last week, Canadians learned that their foreign signals intelligence agency, the Communications Security Establishment (CSE), had improperly shared information with their American, Australian, British, and New Zealand counterparts (collectively referred to as the “Five Eyes”). The exposure was unintentional: Techniques that CSE had developed to de-identify metadata with Canadians’ personal information failed to keep Canadians anonymous when juxtaposed with allies’ re-identification capabilities. Canadians recognize the hazards of such exposures given that lax information-sharing protocols with US agencies which previously contributed to the mistaken rendition and subsequent torture of a Canadian citizen in 2002. 

Tamir Israel (of CIPPIC) and I wrote and article for Just Security following these revelations. We focused on the organization’s efforts, and failure, to suppress Canadians’ identity information that is collected as part of CSE’s ongoing intelligence activities and the broader implications of erroneous information sharing. Specifically, we focus on how such sharing can have dire life consequences for those who are inappropriately targeted as a result by Western allies and how such sharing has led to the torture of a Canadian citizen. We conclude by arguing that the collection and sharing of such information raises questions regarding the ongoing viability of the agency’s old-fashioned mandates that bifurcate Canadian and non-Canadian persons’ data in light of the integrated nature of contemporary communications systems and data exchanges with foreign partners.

Read the Article

Categories
Links

Naqvi: Solution to Court Delays – Call off your Crowns

There can be no debate — delays in our justice system are a very bad thing. With every week, month and year of delay, memories fade, the quality of evidence degrades and victims are denied legal closure.

And, often intentionally overlooked is the reality that court delays mean that accused persons who are presumed (and often are) innocent suffer ongoing stigma, stress, loss of employment, oppressive bail conditions and incarceration waiting for their trial dates.

Let’s get one thing straight — there is not one accused person being held in our Dicken-sian provincial jails who is intentionally delaying their day in court. There is simply no benefit to do so. Ontario’s remand centres are violent, overcrowded, humanity-destroying hellscapes, which are completely devoid of any rehabilitation programming or basic human comforts.

Canadians only realize how broken the legal system is when they, or someone they know, is sucked into it.

Categories
Links

Privacy and Policing in a Digital World

As the federal government holds public consultations on what changes should be made to Bill C-51, the controversial anti-terrorism legislation passed by the Conservative government, various police agencies such as the RCMP and the Canadian Association of Chiefs of Police have petitioned to gain new powers to access telephone and internet data. Meanwhile nearly half of Canadians believe they should have the right to complete digital privacy. The Agenda examines the question of how to balance privacy rights with effective policing in the digital realm.

I was part of a panel that discussed some of the powers that the Government of Canada is opening for discussion as part of its National Security consultation, which ends on December 15, 2016. If you want to provide comments to the government, see: https://www.canada.ca/en/services/defence/nationalsecurity/consultation-national-security.html

Categories
Links Quotations

RCMP is overstating Canada’s ‘surveillance lag’ | Toronto Star

From a piece that I wrote with Tamir Israel for the Toronto Star:

The RCMP has been lobbying the government behind the scenes for increased surveillance powers on the faulty premise that their investigative powers are lagging behind those foreign police services.

The centrepiece of the RCMP’s pitch is captured in an infographic that purports to show foreign governments are legislating powers that are more responsive to investigative challenges posed by the digital world. On the basis of this comparison, the RCMP appears to have convinced the federal government to transform a process intended to curb the excesses of Bill C-51 into one dominated by proposals for additional surveillance powers.

The RCMP’s lobbying effort misleadingly leaves an impression that Canadian law enforcement efforts are being confounded by digital activities.

An Op-ed that I published with a colleague of mine, Tamir Israel, earlier this week that calls out the RCMP for deliberately misleading the public with regards to government agencies’ existing surveillance powers and capabilities.

Categories
Links Quotations

Pleading the Case: How the RCMP Fails to Justify Calls for New Investigatory Powers

The powers that the government is proposing in its national security consultation — that all communications made by all Canadians be retained regardless of guilt, that all communications be accessible to state agencies on the basis that any Canadian could potentially commit a crime, that security of communications infrastructure should be secondary to government access to communications — are deeply disproportionate to the challenges government agencies are facing. The cases chosen by authorities to be selectively revealed to journalists do not reveal a crisis of policing but that authorities continue to face the ever-present challenges of how to prioritize cases, how to assign resources, and how to pursue investigations to conclusion. Authorities have never had a perfect view into the private lives of citizens and that is likely to continue to be the case, but they presently have a far better view into the lives of most citizens, using existing powers, than ever before in history.

The powers discussed in its consultation, and that the RCMP has implicitly argued for by revealing these cases, presume that all communications in Canada ought to be accessible to government agencies upon their demand. Implementing the powers outlined in the national security consultation would require private businesses to assume significant costs in order to intercept and retain any Canadian’s communications. And such powers would threaten the security of all Canadians — by introducing backdoors into Canada’s communications ecosystem — in order to potentially collect evidence pursuant to a small number of cases, while simultaneously exposing all Canadians to the prospect of criminals or foreign governments exploiting the backdoors the RCMP is implicitly calling for.

While the government routinely frames lawful interception, mandated decryption, and other investigatory powers as principally a ‘privacy-vs-security’ debate, the debate can be framed as one of ‘security-or-less-security’. Do Canadians want to endanger their daily communications and become less secure in their routine activities so that the RCMP and our security services can better intercept data they cannot read, or retain information they cannot process? Or do Canadians want the strongest security possible so that their businesses, personal relationships, religious observations, and other aspects of their daily life are kept safe from third-persons who want to capture and exploit their sensitive and oftentimes confidential information? Do we want to be more safe from cybercriminals, or more likely to be victimized by them by providing powers to government agencies?

 

Categories
Links Writing

Dissecting CSIS’ Statement Concerning Indefinite Metadata Retention

The Canada Security Intelligence Service (CSIS) released a public statement after the Federal Court found the Service to be breaking the law by permanently retaining metadata they had been collecting. To date, the Public Safety Minister has refused to clarify the numbers of Canadians who have been caught up in this ‘catch once, catch forever’ surveillance regime.

The Service’s statement is incredibly misleading. It is designed to trick Canadians and parliamentarians into thinking that CSIS didn’t do anything that was really ‘that’ bad. I fundamentally disagree with CSIS’ activities in this regard and, as a result, I’ve conducted a detailed evaluation of each sentence of the Service’s statement.

You can read my dissection of CSIS’ statement at Technology, Thoughts, and Trinkets.

Categories
Links Writing

Canada’s spy agency illegally kept data for a decade, court rules

To be clear, the judge’s ruling:

  1. Found that CSIS had deliberately been misleading/lying to the court for a decade concerning the agency’s permanent retention of metadata;
  2. Raised the prospect of contempt of court proceedings against CSIS and its attorneys at the Department of Justice;
  3. Approved changes to unknown warrants (we’re not allowed, as members of the public, to know the warranting powers of CSIS it seems);
  4. Did not require CSIS to delete or stop using the metadata it had illegally collected, on grounds that doing so could raise jurisdictional issues. Translation: the information has been shared, or mixed with, foreign agencies’ metadata already and thus prevents the court from easily crafting a judgment around its use;
  5. CSIS did not believe that it was required to be fully transparent with the federal court that issues CSIS’ warrants on grounds that the court was ‘not an oversight body’;
  6. CSIS had internally, with Department of Justice guidance, secretly reinterpreted laws to cloak its actions in the guise of lawfulness (internally) while deliberately hiding such interpretations and the implications thereof from the court.

Canada has a national security consultation going on, and part of it raises the question of ‘does Canada have sufficient oversight and accountability for its national security operations?’ If you care about these issues, go and spend some time sending a message to the government.

Categories
Links

How Canada’s Anti-Cyberbullying Law Is Being Used to Spy on Journalists

From Motherboard:

According to Citizen Lab researcher Christopher Parsons, these same powers that target journalists can be used against non-journalists under C-13. And the only reason we know about the aforementioned cases is that the press has a platform to speak out.

“This is an area where transparency and accountability are essential,” Parsons said in an interview. “We’ve given piles and piles of new powers to law enforcement and security agencies alike. What’s happened to this journalist shows we desperately need to know how the government uses its powers to ensure they’re not abused in any way.”

“I expect that the use of these particular powers will become more common as the police get more used to using it and more savvy in using them,” Parsons said.

These were powers that were ultimately sold to the public (and passed into law) as needed to ‘child pornography’. And now they’re being used to snoop on journalists to figure out who their sources are, without being mandated to report on the regularity at which the powers are used to the efficacy of such uses. For some reason, this process doesn’t inspire a lot of confidence in me.

Categories
Links

Canada’s National Security Consultation: Digital Anonymity & Subscriber Identification Revisited… Yet Again – Technology, Thoughts & Trinkets

Over at Technology, Thoughts, and Trinkets I’ve written that:

Last month, Public Safety Canada followed through on commitments to review and consult on Canada’s national security framework. The process reviews powers that were passed into law following the passage of Bill C-51, Canada’s recent controversial anti-terrorism overhaul, as well as invite a broader debate about Canada’s security apparatus. While many consultation processes have explored expansions of Canada’s national security framework, the current consultation constitutes the first modern day attempt to explore Canada’s national security excesses and deficiencies. Unfortunately, the framing of the consultation demonstrates minimal direct regard for privacy and civil liberties because it is primarily preoccupied with defending the existing security framework while introducing a range of additional intrusive powers. Such powers include some that have been soundly rejected by the Canadian public as drawing the wrong balance between digital privacy and law enforcement objectives, and heavily criticized by legal experts as well as by all of Canada’s federal and provincial privacy commissioners.

The government has framed the discussion in two constituent documents, a National Security Green Paper and an accompanying Background Document. The government’s framings of the issues are highly deficient. Specifically, the consultation documents make little attempt to explain the privacy and civil liberties implications that can result from the contemplated powers. And while the government is open to suggestions on privacy and civil liberties-enhancing measures, few such proposals are explored in the document itself. Moreover, key commitments, such as the need to impose judicial control over Canada’s foreign intelligence agency (CSE) and regulate the agency’s expansive metadata surveillance activities, are neither presented nor discussed (although the government has mentioned independently that it still hopes to introduce such reforms). The consultation documents also fail to provide detailed suggestions for improving government accountability and transparency surrounding state agencies’ use of already-existent surveillance and investigative tools.

In light of these deficiencies, we will be discussing a number of the consultation document’s problematic elements in a series of posts, beginning with the government’s reincarnation of a highly controversial telecommunication subscriber identification power.

I wrote the first of what will be many analyses of the Canadian government’s national security consultation with a good friend and colleague, Tamir Israel.

The subscriber identification powers we write about are not really intended for national security but will, instead, be adopted more broadly by law enforcement so they can access the data indiscriminately. Past legislative efforts have rejected equivalent powers: it remains to be seen if the proposal will (once more) be successfully rejected, or whether this parliament will actually establish some process or law that lets government agencies get access to subscriber identification information absent a warrant.