Link

Generalist Policing Models Remain Problematic

From the New York Time’s opinion section, this piece on“Why the F.B.I. Is so far behind on cybercrime?” reinforces the position that American law enforcement is stymied in investigating cybercrimes because:

…it lacks enough agents with advanced computer skills. It has not recruited as many of these people as it needs, and those it has hired often don’t stay long. Its deeply ingrained cultural standards, some dating to the bureau’s first director, J. Edgar Hoover, have prevented it from getting the right talent.

Emblematic of an organization stuck in the past is the F.B.I.’s longstanding expectation that agents should be able to do “any job, anywhere.” While other global law enforcement agencies have snatched up computer scientists, the F.B.I. tried to turn existing agents with no computer backgrounds into digital specialists, clinging to the “any job” mantra. It may be possible to turn an agent whose background is in accounting into a first-rate gang investigator, but it’s a lot harder to turn that same agent into a top-flight computer scientist.

The “any job” mantra also hinders recruitment. People who have spent years becoming computer experts may have little interest in pivoting to another assignment. Many may lack the aptitude for — or feel uneasy with — traditional law enforcement expectations, such as being in top physical fitness, handling a deadly force scenario or even interacting with the public.

This very same issue plagues the RCMP, which also has a generalist model that discourages or hinders specialization. While we do see better business practices in, say, France, with an increasing LEA capacity to pursue cybercrime, we’re not yet seeing North American federal governments overhaul their own policing services.1

Similarly, the FBI is suffering from an ‘arrest’ culture:

The F.B.I.’s emphasis on arrests, which are especially hard to come by in ransomware cases, similarly reflects its outdated approach to cybercrime. In the bureau, prestige often springs from being a successful trial agent, working on cases that result in indictments and convictions that make the news. But ransomware cases, by their nature, are long and complex, with a low likelihood of arrest. Even when suspects are identified, arresting them is nearly impossible if they’re located in countries that don’t have extradition agreements with the United States.

In the Canadian context, not only is pursuing to arrest a problem due to jurisdiction, the complexity of cases can mean an officer spends huge amounts of time on a computer, and not out in the field ‘doing the work’ of their colleagues who are not cyber-focused. This perception of just ‘playing games’ or ‘surfing social media’ can sometimes lead to challenges between cyber investigators and older-school leaders.2 And, making things even more challenging is that the resources to train to detect and pursue Child Sexual Abuse Material (CSAM) are relatively plentiful, whereas economic and non-CSAM investigations tend to be severely under resourced.

Though there is some hope coming for Canadian investigators, by way of CLOUD agreements between the Canadian and American governments, and the updates to the Cybercrime Convention, both will require updates to criminal law as well as potentially provincial privacy laws to empower LEAs with expanded powers. And, even with access to more American data that enables investigations this will not solve the arrest challenges when criminals are operating out of non-extradition countries.

It remains to be seen whether an expanded capacity to issue warrants to American providers will reduce some of the Canadian need for specialized training to investigate more rudimentary cyber-related crimes or if, instead, it will have a minimum effect overall.


  1. This is also generally true to provincial and municipal services as well. ↩︎
  2. Fortunately this is a less common issue, today, than a decade ago. ↩︎
Quote

The fact that it was [sic] responsibility not of the RCMP but of the employer, whether government department or private company, to actually remove a security risk from employment, that is, to exercise direct coercion, is precisely in line with the panoptic element. The RCMP merely watched, gathered information, and provided advice, silently and in the shadows. The effect was to induce political discipline through pervasive, diffuse fear of the consequences of risky ideas, friends, or associations. Totalitarian states enforced political discipline through cruder forms of police state coercion. In fighting the Nazi state, Canada was also groping towards a more effective, non-coercive, form of discipline. The RCMP provided to be able students of the new science of political surveillance.

  • Reg Whitaker et al, Secret Service: Political Policing in Canada from the Fenians to Fortress America
Link

Supreme Court of Canada to Decide on Protection of Journalistic Material

From CBC News:

The materials at issue relate to three stories Makuch wrote in 2014 on a Calgary man, Farah Shirdon, 22, charged in absentia with various terrorism-related offences. The articles were largely based on conversations Makuch had with Shirdon, who was said to be in Iraq, via the online instant messaging app Kik Messenger.

With court permission, RCMP sought access to Makuch’s screen captures and logs of those chats. Makuch refused to hand them over.

RCMP and the Crown argued successfully at two levels of court that access to the chat logs were essential to the ongoing investigation into Shirdon, who may or may not be dead. They maintained that journalists have no special rights to withhold crucial information.

Backed by alarmed media and free-expression groups, Makuch and Vice Media argued unsuccessfully that the RCMP demand would put a damper on the willingness of sources to speak to journalists.

The conflicting views will now be tested before the Supreme Court.

This case matters for numerous reasons.

First, there has been a real drying up of certain sources, which has prevented journalists in Canada from bringing material to public light. Such material doesn’t just pertain to terrorism and foreign combatants but, also, white collar crime, political scandals, cybercrime issues, and more. The Canadian public is being badly served by the Crown’s continued pursuit of this case.

Second, this case threatens to further diminish relations between the state and non-state actors who may, as a result, be (further) biased against state authorities. It’s important to be critical of the government and especially aspects of the government which can dramatically reshape citizens’ life opportunities. But should the press gallery adopt an unwarranted and more critical and combative tone towards the government there could be a deleterious impact on the trust Canadians have in their government . By extension, this could lead to a further decline in the willingness to see the government as something that tries to represent the citizenry writ large. That kind of democratic malaise is dangerous to ongoing governance and a threat to the legitimization of all kinds of state activities.

Link

RCMP is overstating Canada’s ‘surveillance lag’ | Toronto Star

From a piece that I wrote with Tamir Israel for the Toronto Star:

The RCMP has been lobbying the government behind the scenes for increased surveillance powers on the faulty premise that their investigative powers are lagging behind those foreign police services.

The centrepiece of the RCMP’s pitch is captured in an infographic that purports to show foreign governments are legislating powers that are more responsive to investigative challenges posed by the digital world. On the basis of this comparison, the RCMP appears to have convinced the federal government to transform a process intended to curb the excesses of Bill C-51 into one dominated by proposals for additional surveillance powers.

The RCMP’s lobbying effort misleadingly leaves an impression that Canadian law enforcement efforts are being confounded by digital activities.

An Op-ed that I published with a colleague of mine, Tamir Israel, earlier this week that calls out the RCMP for deliberately misleading the public with regards to government agencies’ existing surveillance powers and capabilities.

Link

Pleading the Case: How the RCMP Fails to Justify Calls for New Investigatory Powers

The powers that the government is proposing in its national security consultation — that all communications made by all Canadians be retained regardless of guilt, that all communications be accessible to state agencies on the basis that any Canadian could potentially commit a crime, that security of communications infrastructure should be secondary to government access to communications — are deeply disproportionate to the challenges government agencies are facing. The cases chosen by authorities to be selectively revealed to journalists do not reveal a crisis of policing but that authorities continue to face the ever-present challenges of how to prioritize cases, how to assign resources, and how to pursue investigations to conclusion. Authorities have never had a perfect view into the private lives of citizens and that is likely to continue to be the case, but they presently have a far better view into the lives of most citizens, using existing powers, than ever before in history.

The powers discussed in its consultation, and that the RCMP has implicitly argued for by revealing these cases, presume that all communications in Canada ought to be accessible to government agencies upon their demand. Implementing the powers outlined in the national security consultation would require private businesses to assume significant costs in order to intercept and retain any Canadian’s communications. And such powers would threaten the security of all Canadians — by introducing backdoors into Canada’s communications ecosystem — in order to potentially collect evidence pursuant to a small number of cases, while simultaneously exposing all Canadians to the prospect of criminals or foreign governments exploiting the backdoors the RCMP is implicitly calling for.

While the government routinely frames lawful interception, mandated decryption, and other investigatory powers as principally a ‘privacy-vs-security’ debate, the debate can be framed as one of ‘security-or-less-security’. Do Canadians want to endanger their daily communications and become less secure in their routine activities so that the RCMP and our security services can better intercept data they cannot read, or retain information they cannot process? Or do Canadians want the strongest security possible so that their businesses, personal relationships, religious observations, and other aspects of their daily life are kept safe from third-persons who want to capture and exploit their sensitive and oftentimes confidential information? Do we want to be more safe from cybercriminals, or more likely to be victimized by them by providing powers to government agencies?

 

Link

The RCMP Is Trying to Sneak Facial and Tattoo Recognition Into Canada

The RCMP Is Trying to Sneak Facial and Tattoo Recognition Into Canada:

“That the RCMP is looking at purchasing this kind of capability is in line with what the FBI and other [law enforcement agencies] around the world are doing,” said Christopher Parsons, a postdoctoral fellow at Toronto-based surveillance research hub Citizen Lab.

A previously published RCMP document notes that all of the new system’s scanners for fingerprints and facial images “must have undergone testing by the FBI and be listed on the FBI Certified Products List.”

“However,” Parsons continued, “in all of those jurisdictions there are significant privacy concerns, concerns about the general efficacy of the technology, concerns about whether too much data is collected in the first place, and concerns linked to the risks associated with information sharing between departments.”

The FBI’s biometric database, called the Next Generation Identification (NGI), has been widely criticized by civil rights groups such as the Electronic Frontier Foundation and the American Civil Liberties Union due to the potential for abuse by officers. As numerous incidents in the UK and US have shown, police are sometimes unable to resist the urge to dip into a database of personal information to settle their own very personal scores.

There may be an additional privacy risk in Canada, Parsons wrote, thanks to recent legislation that made it even easier for federal agencies to share information. A January 2016 email sent to S/Sgt. Michael Leben, manager of RCMP latent fingerprint operations in Ottawa, states that the force’s new AFIS system is part of a joint venture with Canada Border Services Agency to identify people entering Canada.

The RCMP has a bid out where companies would have to be able to add-on facial recognition capabilities to the primary fingerprint-biometric system. And the RCMP currently lacks the authority to engage in such facial and bodily recognition. But that’s not stopping it from planning for the future…

Link

RCMP members watch porn, snoop on spouses, files show – Politics – CBC News

So, two things here:

  1. These are some of the dangerous uses that a group of BC residents identified with regards to automatic license plate recognition, namely the use of non-hit data (i.e. information not linked to motor vehicle crimes) in excess of the ALPR program’s stated mandate;
  2. Holy hell. This is a case of a police officer stalking/inciting fear in a civilian and her current romantic partner, and there was a reprimand and a few days of docked pay? It’s these kinds of actions that teach people ‘the police won’t protect me if their own interests are involved.’

I mean really, with regards to (2), how terrifying would it be that an ex who is legitimately empowered to exercise the law is stalking you and those associated with you, using a ubiquitous surveillance technology. And moreover, imagine that things had been reversed: that the CIVILIAN was tracking the police officer. No way there’d be a reprimand and a few days of lost pay. No, that civilian would be looking at some intense court actions.

Total. Double. Standard.

Quote

As Denham points out, though, the RCMP is not under her jurisdiction, so she can’t bring them into line. But the RCMP simply shouldn’t be running a surveillance system on people who haven’t broken any law, and they shouldn’t be able to take advantage of the federal-provincial jurisdictional split to do so either.

This means Canada’s Privacy Commissioner Jennifer Stoddart is going to have to school the Mounties on what privacy rights really mean, and why setting up a massive “just in case” database is not only a bad idea, it’s against the law.