Bill C-13: Does the Trojan Horse Contain Lawful Access Gifts, or Just Greek Hoplites

Yesterday, the government tabled Bill C-13, Protecting Canadians from Online Crime Act.  Notwithstanding this quite generic short-title, the public seems to have dubbed the law project "the cyber bullying bill".  And indeed this is exactly how the government has explained and promoted it.

But I am writing about this bill here, in a blog on national security law, not because of its cyberbullying aspects but because it has a lot of interesting lawful access provisions. For this reason, critics have called it a Trojan Horse; that is: a nice gift on the outside, but full of attackers waiting in ambush.

As the now venerable (but still very relevant) 2002 government consultation paper on the topic defines it, "lawful access" "consists of the interception of communications and search and seizure of information carried out pursuant to legal authority as provided in the Criminal Code, the Canadian Security Intelligence Service Act, and other Acts of Parliament such as the Competition Act."

In the national security area, lawful access involves, principally:

  1. judicial warrants for intercepting "private communications" under Part VI of the Criminal Code (intercept warrants);
  2. judicial warrants for searches and seizures under Part XV of the Criminal Code (regular search warrants);
  3. judicial warrants for access to "information, record[s], document[s] or thing[s]" under Part II of the CSIS Act (CSIS warrants);
  4. ministerial authorizations permitting inadvertent interception of private communications by CSEC as part of its foreign intelligence mandate under Part V.1 of the National Defence Act (CSEC authorizations).

The Trouble with Warrants

I commend to you Steven Penney's comprehensive article on surveillance law.  But let me summarize briefly my own observations: Part VI of the Criminal Code creaks with age.  It is a product of the 1970s, though obviously updated regularly since then.  In 2002, the government consultation document noted the following:

The requirements for intercepting a "private communication" are more onerous than those required to obtain a search warrant to seize documents or record. ...  Part VI of the Criminal Code, defines the expression "private communication" to cover any oral communication, or any telecommunication made under circumstances creating a reasonable expectation of privacy.  This appears to suggest that, once a communication is put in writing, it can no longer be considered a "private communication" for the purpose of the interception of communications provisions of the Criminal Code. ... However, some cases dealing with e-mails in Canada have taken the position that they are to be considered "private communications." ...

These decisions, along with the definition of "private communication," create some confusion as to whether an e-mail should be seized or intercepted.  The problem stems from how this "store and forward" technology works. It is in fact possible to access an e-mail in various places or at various stages of the communication or delivery process using various techniques.  ... The way e-mail messages are transmitted, the relationship between the transmission and/or reception of the message, and the interplay between the sender and the recipient would appear to be covered by the current definition of the term "intercept" in the Criminal Code.

Two stages are more problematic:

  • while e-mail is stored at the sender's ISP
  • while e-mail is stored at the recipient's ISP

The acquisition of e-mails under these circumstances can on occasion be at the same time as the transmission of those e-mails, but it may also be delayed.  Additionally, e-mails may be stored for long periods (weeks or months) before they are opened by the recipient.  The simultaneous transmission and acquisition of the content of an e-mail could be similar to an "interception" under Part VI the Criminal Code.  However, the acquisition of those contents when they are stored could also be considered a "seizure" under Part XV of the Criminal Code.

In other words, email may be either an intercept (and governed by Part VI depending on how earnestly you focus on "oral" in the definition of "private communication) or a seizure, subject to regular search warrant requirements.  It really depends how long you wait.  See, for instance, R. v. Bahr, 2006 ABPC 360.  This is surely not a sensible system and it calls out for clarification.

In essence, this is the issue addressed in a small way by the Supreme Court this year in R. v. Telus, 2013 SCC 16.  That case considered whether text messages were subject to intercept through general search warrants in s.487.01 or under intercept warrants. 

Put simply, the Court's majority concluded that the more stringent intercept warrant requirements had to be followed.  In so concluding, they focused on aspects of text messaging that rendered it a form of "telecommunications".  Emails don't share all the technical qualities of text messages described by the Court, at least not always.  But it would seem the height of formalism to imagine that intercept warrants are required when you email through a mobile device using a cellular service but not when you use your home computer with a direct highspeed cable connection.  So a betting man might be inclined to the view that absent amendment, Part VI applies to emails and other forms of oral or non-oral electronic communications over an ISP.

The caveat is this: the case seemed to turn upon a peculiarity of s.487.01: that warrant power could only be used where there "is no other provision in this or any other Act of Parliament that would provide for a warrant, authorization or order permitting the technique, procedure or device to be used or the thing to be done."  Absent that language, the outcome of the case could have been very different.  The police might have been able to choose to use s.487.01.  Maybe.

CSIS, meanwhile, has none of these troubles.  The CSIS Act is omnivorous, applying the same warrant standard to the seizure of all sorts of information, be they a thing or a communication.  So while the Mounties may have to sweat how to characterize an email for lawful access purposes, CSIS doesn't.  And CSIS gets to wiretap without all the heavy formalism of the Part VI Criminal Code requirements.  And that has been true since 1984.

In this respect, this is an opportune moment to list the ways in which a wiretap authorization differs from a regular warrant (an edited digest of the list provided by the Supreme Court in Telus):

  •  Part VI authorizations must indicate the identity of persons whose private communications will be intercepted, the place at which they are intercepted, and the manner of the interception.
  • Intercept warrants required to contain such conditions as the judge considers advisable and will only be valid for a limited period of time not to exceed 60 days (in most cases -- there are exceptions).
  • Intercept warrants must be supported by a written application by the Attorney General, Minister of Public Safety or a designated agent is required.
  • With intercept warrants, a judge must be satisfied that the authorization is in the best interests of the administration of justice and "that other investigative procedures have been tried and have failed, other investigative procedures are unlikely to succeed or the urgency of the matter is such that it would be impractical to carry out the investigation of the offence using only other investigative procedures" (again, with exceptions). 
  • Part VI includes notice requirements. Among other things, notice must be given to targets of interceptions within a certain period (quite variable). And the government must produce an annual report with respect to the use of Part VI authorizations.

Now, it is important to note that to get any of these types of warrants (so all of those lawful access powers discussed above, except the ministerial authorization for CSEC), the agency in question needs to appear in front a judge and satisfy a reasonable and probable grounds to believe standard. 

So, as an Ontario Superior Court judge recently observed in relation to an intercept warrant: "In order for the first part of that test [to issue a warrant] to pass muster under s. 8 of the Charter, it has been interpreted as importing the same legal requirements as for a  search warrant - i.e. there must be reasonable and probable grounds for believing that a specified crime has been or is being committed and that the interception of private communications will afford evidence of the crime" (R v. Durban, 2012 ONSC 6939 at para. 7). 

For CSIS, the magic language also appears in the more slender jurisprudence: "The judge is required to be satisfied, on reasonable and probable grounds established by sworn evidence, that a threat to the security of Canada exists and that a warrant is required to enable its investigation" (Atwal v. Canada, [1988] 1 F.C. 107 at para. 36).

(CSEC, when exercising its foreign intelligence mandate, is in a different universe, and that is why the relevant statutory provisions are now being challenged in court by the BC Civil Liberties Association).

The New Lawful Access

The world has changed, and now the hot topic isn't intercept of communications but intercept of metadata.  Here's a decent definition of metadata, from clause 20 of the new Bill C-13:

a) relates to the telecommunication functions of dialling, routing, addressing or signalling;

b) is transmitted to identify, activate or configure a device, including a computer program as defined in subsection 342.1(2), in order to establish or maintain access to a telecommunication service for the purpose of enabling a communication, or is generated during the creation, transmission or reception of a communication and identifies or purports to identify the type, direction, date, time, duration, size, origin, destination or termination of the communication; and

c) does not reveal the substance, meaning or purpose of the communication.

(A shout out to Steven Penney as I see that para (c) lines up with one of his recommendations in his article, noted above.)

It is, in a phrase, data-about-data, not about communication content.  Of course, as we all know, collect enough data-about-data and you can piece together a portrait of an individual more intimate than even that person's oral recitation of his or her biography in a wiretapped telephone call.

Now, for about eight years, the government has been trying to enact new rules for data-about-data intercepts, dating back to the Martin government.  Up to and including last year's abandoned Bill C-30, the government sought to introduce measures compelling ISPs to cough up metadata on government request, without judicial warrant.

In C-13, this effort is abandoned.  And so I said "hurrah" when I read it.  It seems an acknowledgement by the government that metadata does give rise to a reasonable expectation of privacy -- something increasingly evident.  And that has implications for all this ongoing discussion about what CSEC is doing with metadata and whether ministerial authorizations are enough when it inadvertently collects Canadian metadata.

And meanwhile, everyone else on the twittersphere and on the country's editorial boards seemed to see the bill as the latest reincarnation of Vic Toews. (That is, when they talked substance.  A lot were just offended by the Trojan Horse idea of bundling lawful access in with cyberbullying.  On this process issue, I guess I don't see why when you're trying to deal with a cyber crime you shouldn't also include long overdue updates to cyber investigative techniques in what is, actually, not that long a bill).

Electronic Content

But on substance: as I read the bill, computer communication content-rich data (as in email etc.) must be produced by the ISP pursuant to a warrant issued on a reasonable grounds to believe standard (which needs to be read as reasonable and probable grounds for constitutional reasons).  See clause 487.014.  This clause replicates the infrastructure of a regular search warrant (replacing the prior s.487.012) and not the more onerous Part VI requirements. 

It is worth a brief pause here.  An obvious question is whether the old s.487.012 and the new clase 487.014 carry much water, given the Supreme Court's Telus decision, noted above.  As I have suggested, it is only a skip and a jump from text message to other forms of electronic communication.  But there is that important wrinkle: Telus was very attentive to that provision of the warrant power there at issue -- s.487.01 -- that allowed it to be used only where some other warrant provision was inapplicable.  Absent that subordination provision, the outcome might have been different.  And proposed clause 487.014 does not have this same subordination language.  So that would suggest that the police may prefer it over Part VI, unless Part VI's extra special protection are a constitutional requirement (not an established conclusion).

Metadata

Meanwhile, under the bill, the ISP must provide metadata (or what the bill calls "transmission data") pursuant to a warrant issued by a judge on a reasonable grounds to suspect standard.  See, e.g., clause 487.016.

And so this begs the question: is reasonable grounds to suspect appropriate.  Because there is no doubt that up until now, if the state wished to search an ISP for computer (as opposed to telephone) metadata, it would do so under a conventional warrant (that is, one issued on a reasonable grounds to believe standard). (See current Criminal Code s.487.011).

The first point is that whatever "reasonable grounds to suspect" means, a judicial warrant issued under this threshold is way, way better than earlier proposals allowing warrantless access to metadata.  So the glass already is, in my view, half full. But is it full enough?

The reasonable suspicions standard is sprinkled through the criminal law in areas like drunk driving stops, production orders to financial institutions, tracking devices, telephone number tracking devices and use of sniffer dogs.  The Supreme Court said this about the concept in R. v. MacKenzie, 2013 SCC 50, a dog sniffing case: 
 

74   Reasonable suspicion means "reasonable grounds to suspect" as distinguished from "reasonable grounds to believe" (Kang-Brown, at paras. 21 and 25, per Binnie J., and at para. 164, per Deschamps J.). To the extent one speaks of a "reasonable belief" in the context of reasonable suspicion, it is a reasonable belief that an individual might be connected to a particular offence, as opposed to a reasonable belief that an individual is connected to the offence. As Karakatsanis J. observes in Chehil, the bottom line is that while both concepts must be grounded in objective facts that stand up to independent scrutiny, "reasonable suspicion is a lower standard, as it engages the reasonable possibility, rather than probability, of crime" (para. 27). ...

85     The reasonable and probable grounds standard is a more demanding standard than the reasonable suspicion standard. It follows inexorably from this that more innocent persons will be caught under a reasonable suspicion standard than under the reasonable and probable grounds standard. That is the logical consequence of the way these standards have been defined.

86     However unappealing that result may be, we should candidly acknowledge that it is the foundation on which Kang-Brown, A.M., and the other reasonable suspicion cases have been built. Indeed, Karakatsanis J. does just that in Chehil, explaining that the "factors that give rise to a reasonable suspicion may also support completely innocent explanations" because the "reasonable suspicion standard addresses the possibility of uncovering criminality, and not a probability of doing so" (para. 32 (emphasis in original)). We accept this cost to individual privacy as a reasonable one in part because properly conducted sniff searches are "minimally intrusive, narrowly targeted, and highly accurate" (Chehil, at para. 28). In short, we have judged the trade-off between privacy and security to be acceptable.

And so is collection of metadata minimally intrusive, narrowly targeted and highly accurate?   And is there reason to conclude that metadata collection from ISPs is more suspect and intrusive than telephone number recorders and tracking devices?  The courts have been all over the map on whether reasonable grounds to suspect is constitutional for the latter types of searches, although the Supreme Court's continued enthusiasm for the concept in other contexts may hint that the high court see reasonable grounds to suspect as a growth industry.

For my part, it is not clear to me that the metadata provision in C-13 is any different really than these sorts of searches. Is it more intrusive than a dog sniff search?  Is it more inaccurate?  I don't really know. But I am having trouble saying "yes".  Surely, metadata is capable of being more sweeping in what it reveals about us because electronic fingerprints go far, wide and last a long time. But sweep is something dealt with by the judge in setting out the scope of the warrant.  Whether the standard is believe or suspicion, I do not think either translates into "fishing expedition through you entire electronic archaeology". 

So in sum: I accept that I may be completely wrong about all of this.  But I am having some difficulty objecting to at least those provisions of C-13 discussed in this very long blog post.  I was not at all happy about warrantless access in prior bills.  But I am quite content with the half-full glass of a judicial warrant.  "Believe" vs. "suspicion" weighs less heavily in my concerns.

One final point, though.  If this is enacted, CSIS and Criminal Code warrants for metadata would now be on a different footing.  Before, CSIS had the cleaner system: one type of warrant application.  No worries about Part VI.  Now, though, the cops would have access to a warrant system that gets them metadata on the lower reasonable grounds to suspect standard.  If it sought the same data, CSIS would need to meet the reasonable grounds to believe expectation.  Whether this matters much in terms of affecting the complex information sharing arrangements between the agencies is hard to predict.  Maybe it will.  It wouldn't surprise me.  But it's not like we'll ever know.

So the C-13 "cyberbullying" bill may be a Trojan Horse. But it surely is better on lawful access than earlier bills tabled over the last eight years.  And so I don't believe in looking the gift horse in the mouth, even while always being wary of Greeks bearing gifts.