Texting a friend, searching a recipe, or requesting a cab or ride share. Participating in today's world means risking our privacy or giving it up entirely. In previous blog posts, we talked about surveillance and device tracking used by government and law enforcement agencies. While most countries require law enforcement authorities to acquire judicial approval before wiretapping and intercepting private communications or data, loopholes have allowed it to be used more frequently by government authorities in many major countries, including Canada. Since the way in which authorities use wiretapping and inception is a bit foggy, it seems more widespread "unofficial" surveillance may be taking place.
In Canada, law enforcement agencies have the ability to lawfully gain access to individual data held by private-sector companies operating within Canada as well as the personal communications of all Canadian citizens. It is true that in order to wiretap and intercept communications, law enforcement agencies must obtain special interception warrants approved by the judiciary for investigative purposes which is intended to prevent abuse of electronic surveillance mechanisms by these very agencies. These warrants are granted only after special conditions are demonstrated and are only valid for a limited period of time. However, documents obtained by several news outlets in the past decade indicate that the extent to which the communications of Canadian citizens are being intercepted is far greater than these official warrants reveal.
Despite the rigorous judicial process that law enforcement agencies must go through in order to obtain wiretapping and interception warrants in Canada, the details of how many of these authorizations are granted are not revealed. Part of the issue is that the majority of these authorizations are given at the provincial and municipal levels of law enforcement, which are not reported in the same way that federal authorizations are. Federally, the year 2011 saw at least 6,000 judicially-approved wiretaps executed in Canada across all levels of government, a figure which was revealed by documents obtained by Motherboard, a technical news division of Vice.(1) These documents also showed that approximately 12,000 requests for Call Detail Records (CDRs) were authorized per year up to that point. But the most troubling about these documents was the revelation that the Canada Border Services Agency (CBSA) made 18,849 requests for subscriber information from telecommunications companies between 2012 and 2013, but only 52 of these requests required a warrant.(2) The documents also showed that telecommunication companies received nearly 1.2 million requests for subscriber information from law enforcement agencies in 2011 alone, indicating that this information is being used extensively by multiple agencies. Without judicial oversight involved in the vast majority of these cases, it is clear that Canadian citizens are having their data privacy violated frequently.
In terms of how interception was carried out, telecommunications was the most common method from 2013-2017. Telecommunications interceptions accounted for more than two-thirds of all interceptions conducted, far exceeding both microphone and video intercepts.(3) The 2017 Annual Report on the Use of Electronic Surveillance provides some details about federal authorizations for communications interception, but the usefulness of this data is limited given the fact that most surveillance is conducted below the federal level and not included in this report. However, the report does reveal the typical time frames involved when warrants for electronic surveillance are granted to law enforcement agencies. According to the report, intercept warrants begin with an authorized operational window of 60 days, after which point authorities can apply to extend the authorization in further 60-day increments.
Canadian law enforcement agencies can also request "tower dumps" from cellular service providers. These tower dumps require obtaining a production order warrant from a judge, which compels telecommunications companies to provide the requested data. A notable case of this occurring was in the 2011 investigation of a shooting death conducted by Peel Regional Police, which saw investigators acquire the subscriber data and call records of anyone who used their mobile devices in the vicinity of several cell towers in Mississauga, Ontario.(4) None of the information obtained from the cell towers was used in the eventual conviction of the suspected shooter, and the other individuals who had their cellular data accessed were never informed of this breach, as it was not required that this be reported to them.(5) These surveillance practices violate the privacy of many law-abiding citizens who have no involvement with, or who are not suspected of, any crime. Further, it remains unknown what happens to the data obtained in these tower dumps, because this is also not required to be reported. It appears that police have turned to using mass data-gathering techniques such as tower dumps instead of traditional wiretaps in many cases because these involve less oversight and are easier to obtain.
Basic Subscriber Information (BSI) is information such as an individual's name, telephone number, email address, or home address. Information of this type is held by many telecommunications companies in their subscriber databases and can be useful for law enforcement to connect names to personal communications and physical addresses. Unlike the interception of private communications, BSI can be requested by law enforcement and freely provided by telecommunications companies without judicial authorization or review. Call Detail Records (CDRs), which are the numbers dialled from a telephone, also do not require a warrant to access or obtain. Under government statute, requests for access to CDRs and BSI do not have to be recorded or reported to the public, resulting in an incomplete picture of these surveillance techniques. In 2013, Rogers revealed that it had received 74,415 "court orders/warrants" for various forms of access to user data, but did not offer any details about where these requests came from or what exactly they entailed.
A great deal of data regarding the use of electronic surveillance methods in Canada is unavailable because the vast majority of surveillance is conducted by provincial and municipal authorities who are not required to report these activities in the same way that federal authorities must. The result is that the true extent of judicially-authorized surveillance activities is largely unknown or difficult to determine. Further compounding this transparency issue is the easy availability of BSI and CDRs. While the Supreme Court of Canada did rule in 2014 that BSIs require a search warrant, some portions of subscriber data like names and telephone numbers still seem to be available to law enforcement upon request without any documentation. So, it would be safe to assume that the true extent of electronic surveillance in Canada far exceeds what has been revealed, and that private data is routinely accessed without any kind of search warrant. The existence of many off-the-record surveillance activities provides a compelling argument for the importance of data security and encrypted communication devices.