The Edward Drake building, a known CSEC headquarters in Ottawa. Image: Wikimedia Commons
To access an unlimited trove of personal information, all a government spy has to do in Canada is pick up a phone and call your internet provider—no written request required.
That revelation, brought to light by three different Canadian lawyers who’ve dealt directly with the Canadian Security Intelligence Service, the Royal Canadian Mounted Police, regional police, and the Communications Security Establishment Canada, comes amid a string of startling revelations on the privacy front in Canada. This comes just weeks before Bill C-13 will make it easier for police to access online information without judicial authorization.
While there has been much debate about Bill C-13 and the Harper government's plans to aid data collection, it's already relatively easy for law enforcement to collect data. Under Canadian voluntary disclosure law, police are free to request, obtain, and use personal data. ISPs are free to provide it. Bill C-13 promises to expand law enforcement's data collection power while providing the ISPs with immunity from lawsuits and criminal charges.
The Personal Information Protection and Electronic Documents Act (PIPEDA) regulates voluntary disclosure of user data by telecommunications companies, banks, server farms, or whoever holds the key to one's personal data. Officials requesting the data need only prove they're conducting an investigation, a low threshold for law enforcement.
What's more, one interpretation of section 9 of PIPEDA forbids companies from reporting disclosures to users unless the company informs the law enforcement agency beforehand. There's a fear that doing so would open them up to the ire of the government for going on the record about warrantless data requests.
“I have recently had to deal with a client who had a request from CSIS for information,” said a Canadian lawyer who asked to remain anonymous. The lawyer and client asked CSIS to put the request in writing so it could properly consider the request. "CSIS said ‘it is against our policy to put those requests in writing.’”
Screenshot of the text of PIPEDA. Image: justice.gc.ca
Motherboard reached out to the intelligence service for more information and a spokesperson responded, “CSIS does not comment publicly on our interests, methodologies or activities."
Another frequent customer of this voluntary disclosure provision is the RCMP. One owner of a hosting company, who spoke to Motherboard on the condition of anonymity, says the RCMP sent a request in 2006 asking they provide personal details of a user who allegedly made a bomb threat on a message board. The RCMP was asking the hosting company—which is essentially a server farm and in no way owned or operated by the website—to obtain that user’s data, and sent local law enforcement to meet with the company, but the company refused. The RCMP told Motherboard that they only request users’ name and address.
These powers are regularly used by Canadian law enforcement. For example, one 2011 case, which stretched from Saskatchewan to Sarnia, involved a man’s alleged distribution of child pornography over file sharing site Gigatribe. The case was eventually thrown out for myriad reasons, but it was one particular issue that incised lawyer Craig Penney.
Penney says he tried to log onto his client’s account, only to find that the password wasn’t working. He recovered the account to discover someone changed it. Penney brought that fact to the judge and discovered the culprit was an officer in the Saskatchewan Internet Child Exploitation Unit. The officer sent a PIPEDA request to Gigatribe requesting the password.
“I would never have known,” Penney said, had he not followed the crumbs. “Even the officer in charge in Sarnia and the Crown were left in the dark.” Because the police asserted investigative privilege to bar information from the case to leak, the details of how the request went down are still unclear. Penney said the officer’s plan was to use the account to suss out the accused’s contacts on the site, effectively using the account as a sting operation.
Regardless of the goal, the fact police were able to obtain a Canadian's password without a court order or any oversight, judicial or otherwise, underlines the impunity of the current system. The lawyers I've spoken to in the past confess PIPEDA requests for obtaining so-called "tombstone information"—name, address, phone number—are commonplace. Since police aren’t required to leave a paper trail in the form of warrants or written requests, there’s no way of knowing how many of these requests take place each year.
The fact that police were able to obtain a Canadians’ password without a court order or any oversight, judicial or otherwise, underlines the impunity of the current system.
Sean Carter, a Toronto lawyer who has experience with warrantless disclosure, said off-the-books requests are not exactly uncommon. “They hate putting it in writing,” he said. “It’s so hard to follow the trail back to the actual request.” Carter pointed out that if they obtain data from a company, and use that to put together evidence for a production order or warrant, nobody would ever be the wiser that they obtained the data in the first place.
According to one lawyer who was not at liberty to speak publicly, CSEC was tasked after a charity helping Palestinian orphans that Ottawa believed was funneling money to Hamas. The case never made it into a courtroom and CSEC never obtained a warrant or production order. Instead, the spooks targeted a Canadian permanent resident who was involved with the charity.
The same lawyer says they tracked that permanent resident during a trip to the United Kingdom, and called up an English telecommunications company to obtain his phone data while in the country. The lawyer confirmed the information was obtained through a PIPEDA request. The evidence they obtained was used in the Canadian Revenue Agency’s efforts to deregister the charity. CSEC’s backdoor information-gathering on the permanent resident were never made public.
The media relations office for CSEC was categorical in an emailed statement about their alleged use of voluntary disclosure tracking a Canadian national. “[CSEC] does not direct its foreign intelligence activities at Canadians anywhere in the world, or at anyone in Canada,” the spokesperson said. “Under its assistance mandate, [CSEC] can only assist other federal law enforcement or security agencies when the requesting agency has the appropriate lawful authority, such as a warrant.”
When asked about the incident the lawyer attested to, CRA didn't deny it. A spokesperson for the CRA would not confirm specifics, but did note, “the CRA works with other government and law enforcement organizations to assist in the fight against terrorism and to protect the charitable sector from abuse, including the exploitation of charitable resources to support terrorism.” While the spokesperson did not name CSEC, they mention CSIS as a common partner.
Motherboard reached out to the major Canadian telecommunication companies, asking for information on law enforcement disclosure. Bell, boasting over a quarter of the country as customers, refused an interview. Bell did offer a statement via email, explaining, “We will provide basic 411-style information such as customer name and address based on a phone number, unless unlisted. This information is defined as non-confidential by the CRTC, which regulates the process. Any further information requires a court order.”
Several court documents, however, shows Bell frequently discloses contact information of its subscribers based only on an IP address provided by police. In one case, German authorities provided the RCMP with a list of Canadian IP addresses that accessed pages containing child pornography, some of which were registered with Bell. The RCMP provided the IP addresses and Bell provided a name. The RCMP sent six requests in all, with a letter reading, “Should you agree to this request, please provide the information in the section below and reply via email.”
That’s one in a long line of cases where telecommunications companies gave up data without much hesitation—SaskTel, Rogers, Bell—the list goes on. When Motherboard put that case to Bell, the tune changed. A spokesperson said they never fork over your personal data “except in emergency situations in which lives are in danger.”
Rogers, who counts nearly 10 million Canadians as customers, said similar. Besides an initial categorical denial that Roger’s hands over customer data without a warrant, a spokesperson said “we scrutinize all requests and yes, for child sexual exploitation cases we will provide the name and address associated with an IP address.”
SaskTel similarly denied the practise, only to later note that any circumstances where user data was released without a warrant, “the information was released through legal processes.” Requests to Telus, Manitoba Telecom Services and Videotron were not returned. Several ISPs confirmed that they simply don’t respond to these requests, like Teksavvy, a smaller provider.
The Harper government has deflected criticism of its warrantless disclosure program, saying that the data being surrendered isn’t of real privacy concern. It’s what you’d find in a phonebook, the government argues.
“Only the most basic information, such as the name and phone number, may be released,” Public Safety Minister Steven Blaney told the House of Commons.
But when Motherboard asked the Justice Department what rules are in place to constrain what police are allowed to ask for—say, someone’s call logs—the Justice Department responded: none.