In the fine print, Tory cyberbullying bill gives legal immunity to some

Share

The preferred metaphor of government lawyers is "security blanket," but mine was derived from Monopoly. "Is this a get-of-jail-free card?" I asked them.

We were discussing Bill C-13, the so-called cyberbullying bill now being weighed by Parliament, but the word "cyberbullying" never really came up. Rather, the attention focused on one little clause, the one stating that should any cops come calling for a record in the course of an investigation, then anyone who "preserves data or provides a document in those circumstances does not incur any criminal or civil liability for doing so."

The passage is so stark it reads to me more like billboard than a bill. A sweeping shield of proactive legal immunity, of a nature rarely seen in Canadian law.

Because this clause has been put there mostly for the benefit of Canada's phone and Internet companies, critics suggest it could have a dire downstream effect on privacy. The government contends that it actually changes nothing – the shield is already in place, and stuff that's now explicitly illegal to hand over will remain illegal to hand over.

What's not contentious, is this. In a new and noteworthy piece of legislation, the Conservative government is asking MPs to broadly sign off on the notion that no one ought to be sued – or put in jail – for forking over material to the government agents, regardless of whether or not said agents arrive with warrants.

For this reason alone, C-13 is a good opportunity for a broader discussion. What problems do laws like this try to solve anyways? Who has ever gotten prosecuted for giving a phone bill to a cop? And why should any lawmakers ever confer a get-out-of-jail-and-lawsuits-free card – on anyone?

–––––

The first thing you should know is that legislated immunity shields for communications companies are not a new idea. American lawmakers have lately been shielding telcos inside the United States. This is largely due to fallout from the U.S. intelligence agencies cajoling the handover of data they weren't entitled to have.

Know also that in Canada a variation of a certain dialogue happens hundreds, maybe thousands, of times a year. On the one side is a police detective. Or a tax collector. Or an intelligence officer. Or a border guard (for ease, we'll refer to these professionals as "investigators" from here on in).

On the other side is a member of a telco's "lawful access" department. And what these two parties do is haggle – haggle over those records which can be handed over to advance an investigation, and those records which cannot.

Ambiguities arise because many interception laws were crafted back in the bygone world of the 1970s – back when people used landlines, and when almost all electronic communications traced back to identifiable people in pinpointable places.

No longer.

Our data now floats in the cloud. Canadians use mobile phones, sometimes even "burner" phones. Web-and-emailed conversations move along Internet Protocol (IP) addresses that have a degree of anonymity baked in. It's true people still access the Internet from desktop computers in their homes – but others use smartphone applications, Internet cafes, airport wi-fi stations, and multiple SIM cards.

The upshot from a government surveillance perspective is that keeping broad tabs on the collective communications of everyone from a 10,000-feet-above-the-ground perspective has gotten a lot easier – but zooming in to any given person's full range of communications has gotten a lot harder.

This has left those investigators griping about rigid telcos not providing enough material. Officials at the telcos, meanwhile, complain about authorities feeling entitled to stuff that they are not supposed to have.

Warrants can help settle such disputes – to a point. Yet in Canada "warrantless" disclosure may be more the rule than the exception, given how there is a legal stratification at play. The most invasive forms of investigation require that warrants be produced. Those handovers deemed relatively benign do not.

It helps to think like an investigator does, and realize there are three broad categories of information handover.

It remains a Canadian Criminal Code offence for anyone – including federal agents (or rather, almost all federal agents, we'll return to this) – to wiretap anyone's conversation without a judge first approving the surveillance. It's for this reason that high legal hurdles remain in place for authorities to procure warrants that facilitate actual eavesdropping and bugging operations.

Not quite as high a legal bar impedes access to a secondary investigative tool – the "production orders" or "assistance orders" signed by judges that allow investigators to force the release of corporate records – such as a suspect's phone logs, or even a smartphone video he has in the Apple Corp. cloud. (Famously, the Toronto Police investigation involving Mayor Rob Ford's afterhours exploits relied on such techniques, used against a Ford associate.)

A third type of handover falls into the warrantless category – what's variously called "basic subscriber information" or "tombstone data" or "customer name and address." This is when investigators visit a telco in hopes of reconciling a specific known phone number or IP address to an unknown person.

The volume of these requests are huge. The federal investigative agency comprising the nation's border guards recently admitted it requested nearly 19,000 telecommunications records in a year – upholding that 99.4 per cent of the time it was out for a "BSI" or basic subscriber information.

Given those kind of numbers, federal regulators have devised mechanisms that bypass judges entirely. Essentially, for BSIs and the like, investigators give companies assurances that they have lawful investigations going on, as the telcos charge a $1-to-$3-a-shot "tariff" to recover costs associated with looking up phone-related customer names and address data..

Reconciling IPs is a trickier, less regulated business. There are many other greyer area handovers too – such as when authorities might invoke exigent circumstances to warrantlessly get a fix on the phone of a person in peril, or legally overreach by trying for a data dump of SMS texts.

Documents disclosed this month show that, in or around 2011, Canadian authorities requested the release of nearly 1.2-million records from nine telecommunications companies.

–––––

Complicating this picture even more is the fact that some Canadian intelligence agencies acquire domestic data in pursuit of "foreign intelligence" and national-security leads.

Such agencies are not usually brought into the C-13 debate, but the little that's known about their handover powers is also worth contemplating here – if only because their American cousins have been known to unlawfully acquire communications data first, and apologize later.

"Phone companies were giving their records based upon a letter from me – for several years," Michael Hayden, a retired U.S. National Security spymaster told The Globe during an interview earlier this month.

Coming to Toronto for a high-profile debate, General Hayden was harkening back to how, by invoking President George W. Bush's executive authority after the Sept. 11, 2001 attacks, his NSA pressed American telcos to secretly relay U.S. communications data – in bulk. And, once asked, the companies obliged.

When news of that program leaked, civil-liberties groups sued Washington, alleging an epic invasion of privacy by the state. Before judges could settle that issue, U.S. Congress then stopped the lawsuits dead in their tracks – by passing a retroactive legal shield that gave the American telcos immunity from any civil suits related to the NSA programs.

The offending programs didn't actually stop; many continued under a different legal authority. Nor did bids for telco immunity cease.

Just last year, the U.S. Congress contemplated a bill known as CISPA, which mulled giving a degree of immunity to telcos who provide customer records to the government officials working to thwart cyberattacks.

President Barack Obama threatened a veto on that one. But last week, The Guardian reported that the White House has itself circulated a note to Congress, urging lawmakers to consider another form of legal immunity – so "any person who complies in good faith with an order to produce records" will not face liability. This too, appears to be driven by fallout from U.S. intelligence agencies' past relationship with telcos.

In Canada, Parliament passed a variant of an immunity clause 13 years ago, one shielding the NSA's close counterpart.

After the 2001 terrorist attacks, Communications Security Establishment Canada was told to use its foreign-oriented electronic-eavesdropping powers to find foreign and domestic terrorists.

To that end, the Anti-Terrorism Act gave CSEC power to engage in certain kinds of domestic communications interception that would be illegal for any other federal agency to conduct.

A Minister of National Defence has to first bless such activities, which are kept classified from the public. Ottawa officials say this legislated loophole in anti-spying provisions of the Criminal Code was crafted to "to shield CSEC from criminal prosecution" and "permit CSEC to undertake activities that would previously have been prohibited."

It's not clear whether CSEC has ever used its statutory immunity – understood to facilitate "computer network operations" or more simply, hacking – to amass corporate records in a manner similar to the U.S. NSA. Most of the big telcos themselves broadly deny having any sort of warrantless handover relationship with CSEC.

–––––

So with all this in mind, I contacted the Department of Justice with some questions. I was eventually put in touch with some Justice Canada C-13 subject-matter experts, who spoke "on background" during a 20-minute phone conversation. The interview precondition was I could say I spoke to such officials, but I could not name names or quote them at length.

First, the government legal experts argue that there is nothing new in this bill. Should you ever get a Justice Canada legal expert on the phone to ask about C-13, he or she or they would likely tell you that the very same immunity language appeared in the failed 2009 iteration of lawful-access legislation.

Then they would suggest no new powers are actually being bestowed at all – just read Section 25 of the Criminal Code. If you do, you'll learn there's an immunity shield for those concerned Canadian citizens who help the cops by forcefully effecting citizens' arrests, but who would otherwise expose themselves to allegations of assault.

How might that apply to telecommunications companies? Government subject matter experts would probably suggest that the case law has extended this cover to corporations who cough up records to the government. In other words, Canada's telcos are already shielded from any blowback for stuff they hand over to investigators, and have been for a very long time.

You might then ask: Why codify a power that already exists, then?

I can confidently tell you that should you ever get a chance to put that question to Justice Canada C-13 experts, the words "sticklers" and "security blanket" might come up in conversation.

The gist would be along the lines that Canada clarified its laws about production orders in the early 2000s. The unintended consequence is that some skittish communications companies are now asking for a production orders every time a cop walks into their building – even when no production orders are needed at all. And because telcos are no more expert at thumbing through the Criminal Code than, say, Globe and Mail reporters, the feeling within government is that there needs to be a more explicit reassurance. A billboard clause, in effect, saying there will be no trouble.

Colin Freeze is an investigative reporter based in Toronto.