UNCLASSIFIED Lawful Access Implications of the Supreme Court Decision in R. v. Spencer ISSUE June 2014 Supreme Court of Canada decision in R. v. Spencer challenges for law enforcement and national security agencies in accessing Basic Subscriber Information Sb. BACKGROUND Basic Subscriber Information: ‘© Typically includes information such as an individual’s name, address, telephone ‘number (similar to in a phonebook) but may also include the individual's email address, IP address and/or local service provider identifier. * BSIis often a first step for police when seeking judicial authorization to access the actual content of electronic communications. R. v, Spencer: * On June 13, 2014, the Supreme Court of Canada released its unanimous decision in Rv. Spencer, dismissing the appeal and confirming the conviction of possession of child pornography. The court found that the police request for basic subscriber information breached Mr. Spencer's section 8 Charter rights; however, under section 24 (2), the Court held that despite the breach, the evidence should be admissible and therefore upheld the conviction. In its decision, the Court states that where BSI can reveal a person’s “personal choices or lifestyles” (which may be compared to the “biographical core information” protected under section 8 of the Charter), a reasonable law, which can be met with a warrant or exigent circumstances, are required for that information to be obtained lawfully. * The Court’s decision speaks specifically to the need for the lawful authority to access BSI only in cases where there was a reasonable expectation of privacy. ‘+ Until June 2014, Government and law enforcement agencies most frequently acquired BSI by requesting communications service providers to release it voluntarily under the Personal Information Protection and Electronic Document Act (PIPEDA) ot by compelling the communications service providers to provide this information in the context of ongoing investigations pursuant to a court order. Impact of R v. Spencer: ‘© Most communications service providers and some other private businesses (e.g., banks and rental agencies) have interpreted the R v. Spencer decision cautiously and broadly, and have ceased voluntarily providing any BSI. ©. Police are experiencing investigative delays of up to several weeks compared to voluntary requests that typically took 24 hours or less to process prior to the decision. Due to the processing delays, they may also experience gaps in accessing the necessary information because communications service providers may not keep their logs for more than 30 days. Prepared: March 24, 2016 by the National Security Operations Directorate, Public Safety Canada 000001UNCLASSIFIED ‘© Police are not advancing certain investigations due to unsustainable workloads, such as the work and cost associated with obtaining judicially authorized production orders or warrants to access BSI, or an inability to meet judicial threshold early on in the investigation, CURRENT STATUS Currently, specific legislation doesn’t exist for law enforcement to access BSI and they now have to use generic tools that exist in the Criminal Code of Canada, such as a production order or search warrant; however, these tools are not designed for this purpose. These tools are designed for much broader investigative activities and have a proportionally more difficult test to demonstrate to a judge before the judge can approve the use of the tool. NEXT STEPS In light of these challenges, the Government is exploring options to address the R v. Spencer decision to ensure that law enforcement and national security agencies have the tools they need to conduct effective investigations. Other groups, such as the Canadian Association of Chiefs of Police, have also been looking at this issue and the Commissioner of the RCMP has spoken publicly about the challenges it poses and the need to find solutions to support Jaw enforcement. Prepared: March 24, 2016 by the National Security Operations Directorate, Public Safety Canada 00002Document Released Under the Access to Information Act / Document divulgué en vertu de la Loi sur laccés a l'information UNCLASSIFIED, ) = ACCESS TO BASIC Si RIBER TION AND THE ‘SUPREME COURT OF CANADA DECISION IN R.V. SPENCER ‘Sponsoring Jurisdiction: Justice Canada and Saskatchewan A Deputy Minister from Saskatchewan will chair this discussion and summarize the decision outcomes at the end of the discussion. Karen Audcent, Senior Counsel, Criminal Law Policy Section, Justice Canada, will provide the presentation, along with Lucie Angers, General Counsel/Director, External Relations, Criminal Law Policy, Justice Canada, and Dale Tesarowski, Crown Counsel, innovation Division, Ministry of Justice, Saskatchewan, This item is of interest to both Justice Canada and Public Safety Canada, but Justice will lead the discussion, EXPECTED DECISION OUTCOMES: Federal/Provincial/Territorial (FPT) Deputy Ministers (DMs) acknowledged the impact the Spencer decision has had on law enforcement and national security agencies. FPT. ‘s.14(a) s.24(tya) FPT DMs agreed that they will seek FPT Ministers of Justice and Public Safety approval to release a summary of the Cybercrime Working Group Report on Basic Subscriber Information and the Supreme Court of Canada Decision in R. v. Spencer prior to the next FPT Ministers’ meeting. TEGIC ADVICE, s.24(tia) (Continued on next page) RDIMS #1828094 1 Last Updated: May 24, 2016 ‘000003Document Released Under the Access to Information Act / Document divulgue en vertu de la Loi sur laccas a l'information s24(tKa) ‘UNCLASSIFIED ‘* Approve the report and recommend that FPT DMs seck FPT Ministers approval to release a summary of the Cybercrime Working Group Report on Basic Subscriber Information and the Impact of the Supreme Court of Canada decision in R. v. Spencer prior to their next meeting ‘* Agree to provide the recommendations developed by the Cybercrime Working Group to FPT Ministers of Justice and Public Safety for their consideration; and TALKING POINTS FOR THE DEPUTY MINISTER The following responsive TPs are recommended, following Deputy Minister Pentney's ‘comments, RESPONSIVE TALKING POINTS ¢ Canadians are embracing the many advantages that the internet offers, but along with this increased reliance on technologies comes vulnerabilities from cyber threats and cybercrime. © Mon ministére est conscient des difficultés auxquelles sont confrontés les organismes d’exécution de la loi et les organismes de sécurité nationale pour accéder aux renseignements de base des abonnés. II est déterminé a collaborer avec eux et d’autres intervenants principaux en vue de trouver des solutions appropriées pour qu’ils disposent des outils dont ils ont besoin pour mener des enquétes efficaces et assurer la sécurité des Canadiens. (Continued on next page) RDIMS #1828094 2 Last Updated: May 24, 2016 000004Document Released Under the Access to Information Act / Document divulgué en vertu de la Loi sur laccés a l'information s24(a}(a) UNCLASSIFIED © Central to this work is the consideration of both keeping Canada safe and ensuring the personal privacy of Canadians. « My Department supports the proposed approach recommended by the Cybercrime Working Group iia IF. ED JN, RESPONSIVE TALKING POINTS REGARDING RECOMMENDATIONS « Iam supportive of the proposed approach recommended by the (Continued on next page) RDIMS #1828094 3 Last Updated: May 24, 2016 ‘000005Document Released Under the Access to Information Act / Document divulgué en vertu | de la Loi sur laccés a l'information UNCLASSIFIED © 1 would propose that these recommendations be shared with FPT Ministers of Justice and Public Safety for their consideration and that Deputy Ministers seek Ministers’ approval to publicly release a summary of the report developed by the Cybercrime Working Group on Basic Subscriber information and the Impact of the Spencer decision. © I support that the Cybercrime Working Group undertake additional work to flesh out the details of the recommendation and to report back to Deputy Ministers with a status update at our next meeting. RDIMS #1828094 4 Last Updated: May 24, 2016 ‘000006Document Released Under the Access to Information Act / Document divulgue en vertu de la Loi sur acces a Finformation UNCLASSIFIED BACKGROUND Basic Subscriber Information (BSI) is information that corresponds to a customer's telecommunications subscription, such as name, home address, phone number, email address, and internet protocol address (IP). BSI provides law enforcement and national security agencies with key information that is particularly useful at the outset of a criminal investigation, and may also be used to further an investigative lead. The Spencer case stems from a child pomography investigation. In this case an IP address assigned to a Shaw customer was accessing a child pomography website that was being monitored by the Saskatoon Police. The police used a Law Enforcement Request (LER) to request and obtain the BSI, related to the IP address, from Shaw that led to Mr. Spencer. At the time, most of Canada’s telecommunications service providers were complying with LERs, which were made in relation to child sexual exploitation cases. In this specific case, ‘Shaw voluntarily provided the information to the police and then the police sought and obtained a search warrant to seize Mr. Spencer's computer. The accused challenged the LER on the basis of a reasonable expectation of privacy in an IP address under section 8 of the Canadian Charter of Rights and Freedoms (Charter). The decisions of the Saskatchewan Court of Appeal and the Saskatchewan Court of Queen’s Bench upheld the use of the LER for basic subscriber information, holding that there was no reasonable expectation of privacy in the information attached to the IP address. Mr. Spencer appealed to the Supreme Court of Canada. On June 13, 2014, the Supreme Court of Canada released its unanimous decision in &. v. Spencer, dismissing the appeal and confirming the conviction of possession of child pornography. The Court disagreed with the trial judge and Saskatchewan Court of Appeal, both of which found that police obtaining BSI did not breach Mr. Spencer's s. 8 Charter rights. The Court found that the police request for BSI in this case breached Mr. Spencer’s s 8 Charter rights; however, under s. 24 (2), the Court held that despite the breach, the evidence should be admissible and therefore upheld the conviction. The Court also upheld the Saskatchewan Court of Appeal’s order of a new trial given the trial judge’s error in interpreting the offence of making available child pornography under subsection 163.1 (3) of the Criminal Code. In its decision, the Court stated that where BSI can reveal a person’s “personal choices or lifestyles,” which may be compared to the “biographical core information” protected under s. 8 of the Charter, a reasonable law, warrant, or exigent circumstances are required for that information to be obtained lawfully. While concluding that the search was in violation of the Charter, the Court stated that nothing in the decision diminished the existing powers of the police to obtain BSI without a warrant in exigent circumstances, and that this information could also be provided pursuant to a reasonable Jaw. Further, the Court confirmed the existing common law powers of police to make enquiries relating to matters that are not subject to a reasonable expectation of privacy. This decision came amidst public concem that authorities were quietly gaining access to customer data with little oversight or independent scrutiny. Until June 2014, law enforcement and national security agencies most frequently acquired BSI by requesting communications service providers release BSI voluntarily under the Personal Information Protection and Electronic Document Act (PIPEDA) or by compelling, RDIMS #1828094 5 Last Updated: May 24, 2016 000007s.t4(ay s.24(4}la) s.14la) s.21(t}a) Document Released Under the Access to Information Act / Document divulgue en vertu de la Loi sur acces a Finformation ‘LASSIFIE! the communications service providers to provide this information in the context of ongoing investigations pursuant to a court order. However, since June 2014, most communications service providers and some other private businesses (e.g., banks and rental agencies) have interpreted the Spencer decision cautiously and broadly, and have ceased voluntarily providing any BSI. ‘As a result, law enforcement and national security agencies must now seek warrants (c.g., production orders) to obtain BSI, which has added a heavy administrative and financial burden to investigations. This has also created challenges, including long delays or not pursuing the case at all. Furthermore, the Spencer decision has led to varied interpretation with respect to exigent circumstances. Currently, there are no tools in the Criminal Code designed to compel access to BSI. As a result, law enforcement agencies have been making use of the general production order where possible. However, these orders require a high threshold of “reasonable grounds to believe”, which is designed for a broad power (larger search scope), and may not be possible to meet at an early stage of an investigation when BSI is needed. PUBLIC SAFETY POSITION The challenges stemming from the Spencer decision have been an area of focus for PS, as well as for portfolio partners. Commissioner Paulson, Royal Canadian Mounted Police, has written to Minister Goodale to raise the challenges law enforcement is facing following the decision and to convey his views on the need for urgent legislative action to address the impacts. Commissioner Paulson has also spoken publicly on the need for warrantless access to BSI. In addition, in August 2015, the Canadian Association of Chiefs of Police (CACP) passed resolution 2015-03, which supports the creation of a reasonable law designed to specifically provide law enforcement with the ability to obtain BSI from telecommunications providers. PS continues to engage with portfolio partners and key stakeholders to discuss the challenges and potential solutions moving forward. RDIMS #1828094 6 Last Updated: May 24, 2016s14(a) s21(tKa) s.t4(a) s.24(1)(a) Document Released Under the Access to Information Act / Document divulgue en vertu de la Loi sur Taccas a l'information UNCLASSIFIED. for appropriate tools for judicial oversight and authorization where circumstances involving a reasonable expectation of privacy are higher, such as in Spencer; and an administrative scheme where judicial authorization is not required as there is lesser expectation of privacy, such as with name, address, telephone number, internet address, or whether records for an individual subscriber exist at all. The administrative scheme could also be used in other instances where BSI could help enable a non-criminal policing function, such as helping with missing persons (e.g, Alzheimer patient) or when returning stolen property. The legislation would also include provisions to ensure that a process exists to permit law enforcement to respond quickly in emergency (exigent) situations, such as ensuring they have authority to immediately access BSI when it is needed for public safety reasons. It is important to note that PS will be engaging in a national security review which will cover a variety of issues, including those related to access to BSI and other investigative challenges in a digital world. It may also leverage the FPT CCSO CWG as key stakeholders in these processes as it moves forward. As such, PS supports the public release of a summary of the CWG paper on BSI and the impact of the Supreme Court of Canada decision in R. v. Spencer in advance of the next FPT Ministers meeting, This summary could be used to leverage discussions that will form part of the national security review. Furthermore, PS supports sharing the recommendations developed by the CWG with the FPT Ministers for their consideration. PROVINCIAL/TERRITORIAL CONSIDERATIONS, The issues and challenges stemming from the Spencer decision are jointly shared across the FPT table and there is a mutual desire to come up with appropriate solutions. As such, members of the FPT CCSO CWG, including PS officials from the National and Cyber Security Branch, have met on several occasions, to discuss the impact of the Spencer decision, the challenges being faced by Jaw enforcement and potential solutions. 7 7 RDIMS #1828094 Last Updated: May 24, 2016 aDocument Released Under the Access to Information Act / Document divulgue en vertu de la Loi sur laccas a l'information s.24(1}(a) UNCLASSIFIED, CURRENT STATUS/NEXT STEPS For the purposes of this meeting, the FPT CCSO CWG has prepared a Report on Access to Basic Subscriber Information and the Impact of the Supreme Court of Canada’s Decision in R.v. Spencer. The report highlights the current challenges and issues law enforcement and national security agencies face when it comes to access BSI. It is recommended that the CWG reconvene following the FPT DMs meeting to discuss the ‘outcome of the meeting and Given the other work that is currently on-going within PS in the context of the a national security review, it is recommended that the CWG report back to FPT DMs with a status report on the work and next steps at the next scheduled meeting. RDIMS #1828094 8 Last Updated: May 24, 2016 ‘000010Document Released Under the Access to Information Act / Document divulgue en vertu de la Loi sur laccas a l'information UNCLASSIFIED ‘CYBERCRIME ~ ACCESS TO BASIC SUBSCRIBER INFORMATION AND THE SUPREME COURT OF CANADA DECISION IN &. V. SPENCER Sponsoring Jurisdiction: Justice Canada and Saskatchewan Justice Canada is the federal lead for this item. You will be expected to chair this item and to summarize the decision outcomes at the end of the discussion. You will invite Minister Wilson-Raybould and a Deputy Minister from Saskatchewan to lead this item. EXPECTED DECISION OUTCOMES: Ministers agreed with the recommendations contained in the report of the Coordinating Committee of Senior Officials ~ Criminal Justice (CCSO) Cybercrime Working Group (CWG), including that there be legislative reforms to address access to Basic Subscriber Information (BSI) in the wake of the Supreme Court’s 2014 Spencer decision. Ministers also agreed that the CWG continue working to develop the details of the proposed legislative reforms, including consultations with relevant stakeholders as required. STRAT) Tris recommended that you: a © endorse the recommendations in the CWG report; RDIMS #1942696 1 Last Updated: September 30, 2016 000011Document Released Under the Access to Information Act / Document divulgue en vertu de la Loi sur laccés a l'information s.24(4)(a) UNCLASSIFIED, TALK USTER Justice Canada is the federal lead for this item, The following responsive TPs are recommended following the Minister Wilson-Raybould’s comments, © I would like to join my colleague, the Minister of Justice, in expressing the importance of putting in place the legislative tools needed to ensure that law enforcement has appropriate access to basic subscriber information, while at the same time respecting the privacy of Canadians. (Continued on next page) RDIMS #1942696 2 Last Updated: September 30, 2016 000012Document Released Under the Access to Information Act / Document divulgué en vertu de la Loi sur laccés a l'information UNCLASSIFIED ¢ As you are likely aware, the Government of Canada is currently undertaking extensive public consultations on a range of security topics, including basic subscriber information. © Given the importance of public engagement, I also support the development of a longer-term outreach and communications strategy for basic subscriber information that would deepen the dialogue with Canadians on this important issue. BACKGROUND ‘On June 13, 2014, the Supreme Court of Canada ruled in Rv. Spencer on the authority of the police to obtain BSI from telecommunications service providers (TSPs) on a voluntary basis in relation to an Intemet Protocol (IP) address accessing child pornography. In a unanimous decision, the Court found that Mr. Spencer had a reasonable expectation of privacy under section eight of the Charter of Rights and Freedoms in his identity when linked to his anonymous online activities. The common law authority of the police to ask questions and obtain information voluntarily was insufficient lawful authority to obtain the subscriber information in that case. The Court also stated that nothing in its decision diminished the powers of the police to obtain BST in exigent circumstances, and that BSI could also be provided pursuant to a reasonable law ‘or where there was no reasonable expectation of privacy. Following Spencer, TSPs have become extremely reluctant to provide information on a voluntary basis, even in situations where Syencer’s application is unclear. In order to obtain BSI, police have resorted to using general production orders. These are designed to obtain a broad category of information, and thus require reasonable grounds to believe that an offence has been committed (a robust threshold). This is problematic, however, as general production orders were not designed for BSI, and investigators may not have sufficient evidence during the early stages of an investigation — often when BST is most needed ~ to obtain one. Moreover, in some cases TSPs have even refused to confirm or deny if records are in their possession — knowledge that is required for the issuance of a production order. RDIMS #1942696 3 Last Updated: September 30, 2016 oes.14(a) s21(tKa) Document Released Under the Access to Information Act / Document divulgue en vertu de la Loi sur Taccés a l'information UNCLASSIFIED. Nonetheless, jurisprudence has recently begun to emerge that narrows the scope of Spencer to circumstances involving the Internet that are similar to the original Spencer case. These decisions have found that the long line of jurisprudence prior to Spencer which held that the public has no reasonable expectation of privacy with regard to telephone information were not overturned by Spencer. PROVINCIAL/TERRITORIAL CONSIDERATIONS, ‘The report reflects the consensus views of the CWG. Non-federal members of the CWG who contributed to the development of the report include officials from Ontario, Quebec, Newfoundland, New Brunswick, Saskatchewan, Alberta and British Columbia. All jurisdictions were strongly of the view that legislative reforms are needed in the wake of the Spencer decision. CURRENT STATUS/NEXT STEPS At the October 2014 meeting of the FPT Ministers Responsible for Justice and Public Safety, Ministers described the impact of R. v. Spencer on the criminal justice system in their respective jurisdictions. Given the serious implications of this decision for public safety, Ministers agreed to ask the CCSO to consider options that would balance the needs of law enforcement and the privacy interests of Canadians. PUBLIC SAFETY POSITIOT Public Safety Canada concurs with the key recommendations of the CWG report. Should Ministers endorse the report, then we would work with Justice Canada to develop specific options for a balanced solution to the current BSI challenges under the general framework agreed upon by Ministers. ‘As you are aware, the Government of Canada Online Consultation on National Security was launched on September 8, 2016, and will end on December 1, 2016. “Investigative Capabilities RDIMS #1942696 4 Last Updated: September 30, 2016 000014s24(1Ka) Document Released Under the Access to Information Act / Document divulgué en vertu de la Loi sur laccés a l'information UNCLASSIFIED in a Digital World” is one of the ten topics covered by this consultation. This topic includes a consideration of the challenges related to basic subscriber information, intercept capability, encryption and data retention, all of which are ongoing issues for Canada’s national security and law enforcement community. [EREEEREEETELEEEEEEEEER EEE EEREEEREEEREEEEEREEREUEEEEEEEREEEEEEEEEEE EEERESEEEE EEE EEREEEEEEEDEDEEEEEEEREREEEEESEEETEEESEREEETEEEEEREEET RDIMS #1942696 5 Last Updated: September 30, 2016 eaeDocument Released Under the Access to Information Act / Document divulgué en vertu de la Loi sur acces a Finformation BLANK PAGE / PAGE BLANCHE 000016Pages 17 to/a55 are withheld pursuant to sections sont retenues en vertu des articles 13(1)(c), 14(a) of the Access to Information de la Loi sur I'accés a l'informationDocument Released Under the Access to Information Act / Document divulgue en vertu de la Loi sur Taccas a l'information BLANK PAGE / PAGE BLANCHE 000056Document Released Under the Access to Information Act / Document divulgue en vertu de la Loi sur acces a Finformation J eS Saute otto Canada Canada October 2016 Meeting of Ministers Responsible for Justice and Public Safety Access to Basic Subscriber Information Media Lines ‘+ The Government of Canada is currently conducting a public consultation to obtain Canadians’ views to ensure Canada’s national security framework is effective in keeping Canadians safe, while also safeguarding our rights and values in a free and democratic society. * As part of its consultation on national security, the Government has chosen to. hear from Canadians on Access to Basic Subscriber Information (BSI). + The input that the Government receives from Canadians, including experts, stakeholders, and Parliamentarians, will help inform the development of national security law and policies. «The security and privacy of Canadians are both crucial considerations for BSI * All Canadians are welcome to participate in the online consultation from now until December 1*, 2016, at: Canada.ca/national-security-consultation Approved by: Sophie Beecher, Director, NS Intelligence John Davies, OG, NS Policy Monix Beauregard, SADM, NSCB Goverment onemaner Canadit ofCanada du Canada 000057Document Released Under the Access to Information Act / Document divulgue en vertu de la Loi sur Taccés a l'information ‘Sécucé pubique Pub Safety Canada canada Infocapsules Réunion des ministres responsables de la Justice et de la Sécurité publique ‘Accés aux renseignements de base sur les abonnés Octobre 2016 Infocapsules * Le gouvernement du Canada mene actuellement une consultation publique en vue d'obtenir opinion des Canadiens pour s'assurer que le Cadre de sécurité nationale du Canada les protége avec efficacité, et ce, tout en préservant nos droits et nos valeurs dans une société libre et démocratique. * Dans le cadre de sa consultation sur la sécurité nationale, le gouvernement a choisi d’entendre les Canadiens au sujet de l'accés aux renseignements de base sur les abonnés (RBA). + Les commentaires que le gouvernement regoit des Canadiens, y compris des experts, des intervenants et des parlementaires, contribueront & éclairer l'élaboration de lois et de politiques sur la sécurité nationale. * La sécurité et la vie privée des Canadiens sont des préoccupations cruciales pour les RBA. * Tous les Canadiens sont invités a participer a la consultation en ligne dés maintenant et jusqu'au 1° décembre 2016, 4 Canada.ca/consultation-securite- nationale. Approuvé par: Sophie Beecher, drectrice, Politiques du renseignement, Secteur de la sécurité et de la cybersécurité nationale John Davies, directeur général, Direction générale des politiques de la sécurité nationale Monik Beauregard, sous-ministre adjointe principale, Secteur de la sécurité et de la cybersécurité rationale : a heen comes Canada 000058Pages 59 to/a61 are withheld pursuant to sections sont retenues en vertu des articles 13(1)(c), 14(a) of the Access to Information de la Loi sur I'accés a l'informationANNEX 2 - BASIC SUBSCRIBER INFORMATION Introduction Telecommunication services are essential to many aspects of the daily lives of Canadians all across the country. These services, however, are also a critical medium for individuals involved in the planning and undertaking of criminal activities, and in developing and executing plans that threaten national security. The ability to identify the subscriber to a telecommunication service is and has always been of fundamental importance to police and national security’ investigators Until the mid-1990s, Basic Subscriber Information (BSI) associated with telecommunication services was limited to the set of data associated with the use of wireline telephones: a person's name, the telephone number and the billing address (typically the residence or business where the phone was physically located). This data was generally available from a telephone book with the exception of a small percentage of unlisted phone numbers. In the mid-1990s, cellular phones, e-mail and webmail addresses became accessible to average consumers, and phone books were no longer the single authoritative source for BSI. Mobile phone numbers and e- mail addresses were not published in these directories. The market began to diversify with growing competition, and multiple phone companies emerged, offering multiple services. A person could have a residential phone and e-mail services with one company and a cellular phone with another. This increased the difficulty of identifying criminals and individuals posing a threat to the security of Canada, ‘The growth of the Internet and an increasingly diverse set of services riding on top of the Internet, sparked by the World Wide Web, compounded this challenge by creating another important form of subscriber information. The technological landscape continued to evolve rapidly and it was not long before Internet Protocol (IP) addresses, which initially were linked back only to desktop computers, began to be associated with cell phones as well. As a result of these developments, there are multiple sets of data, a proliferation of computers, cell phones, tablets, and a plurality of telecommunications companies. Subscriber information has become increasingly important as individuals and businesses communicate more often and in mote diverse ways with several devices in the course of a day. Today, in addition to people and their ‘communication devices being connected to the Internet, billions of IP addresses are also being assigned to other things, and groups of things, which may include but are not limited to: vehicles, thermostats, alarm systems, power substations, home appliances and water meters. ‘These are just a few of the objects in our digital society that are now connected and communicating using the Internet. * Please note tha, as a forcign intelligence and information technology secutity agency, the Communications Secusity Establishment Canada (CSE) does not conduct national security or law enforcement investigations. It also does not direct its foreign inteligence or cyber security activities at Canadians or anyone in Canada, As such, the tools discussed in this annex do not relate to CSE. 00062With the massive growth in the volume and variety of communications technologies, the need to maintain efficient access to BSI has become even mote important to law enforcement and national secutity investigators. Identifying the subscriber associated with an IP address used in 1 specific communication is one of the most often sought types of data in domestic and international criminal investigations, as well as in many national security and regulatory investigations. Just as subscriber information itself has changed with the evolution of technology, so did the understanding of subscriber information as personal information. How subscriber information fits into the privacy landscape is not a simple matter. In a world where the volume of information has expanded exponentially, many countries have introduced data protection and privacy statutes, In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) was introduced in the context of commercial businesses in Canada and their collection of personal information. PIPEDA established a framework for how personal information could be collected, retained, disclosed and destroyed. Until recently, court cases adopted the view that BSI was predominantly public ~ it was available in a phone book and in that context, it did not seem to attract an expectation of privacy; it did not seem to matter whether subscriber information was associated with residential phones or cell phones. The general view was that this sost of subscriber information had little ot no expectation of privacy associated with it and it was routinely obtained by police from phone companies for a nominal fee upon request. ‘The situation with respect to IP addresses is somewhat different. IP addresses can be dynamic or static — that is, every time a device establishes an internet connection it can be given a different IP address (hence “dynamic IP”). On the other hand, as modems began to be connected to the Internet all the time (rather than being switched on and off), static IP addresses became more common. The practice with respect to obtaining the subscriber information associated with an TP address therefore began with a different type of look-up than the subscriber information associated with a phone — not billing information that was generally unchanging month to month, but a search through data logs to determine what dynamic IP address was assigned to a specific subscriber at a specific date and time. The expectation of privacy associated with an IP address was also unclear and the lawful authority for the police to obtain an IP address varied across the country, ‘A cooperative effort has been developed among law enforcement, government and industry to address the expectation of privacy associated with an IP address in one particular circumstance: child sexual exploitation cases involving the Internet. A standard form was created, called a Law 000063Enforcement Request (LER), which was most commonly used to obtain subscriber information associated with an IP address in child sexual exploitation cases on a voluntary basis. ‘Most of Canada’s major Communications Service Providers (CSPs) complied with LERs voluntarily providing law enforcement with access to BSI in a timely manner. This situation, however, significantly changed in 2014 following a Supreme Court of Canada (SCC) decision relating to BSI, RusSpencer The Supreme Court Decision in R. v- Spencer On June 13, 2014, the SCC released its decision in R. x. Spencer. In this case, Saskatoon police identified an IP address that was accessing child pornography. Police were able to identify Shaw as the service provider who used this IP address and sought from Shaw the identity of the subscriber who used'the IP address at a particular time and date, Police used a LER to sequest and obtain the basic subscriber information from Shaw that led to Mr. Spencer. Shaw voluntarily provided the information and the police then sought and obtained a search warrant to seize Mr. Spencer’s computer. The accused challenged the LER on the basis of a reasonable expectation of privacy in an IP address under section 8 of the Canadian Charter of Rights and Freedoms (Charter). The decisions of the Saskatchewan Court of Appeal and the Saskatchewan. Coust of Queen’s Bench upheld the use of the LER for basic subscriber information, holding that there was no reasonable expectation of privacy in the information attached to the IP address. Although the SCC dismissed the appeal and confirmed the conviction for possession of child pornography, it also found that the acquisition of Mr. Spencet’s identity from the information provided by Shaw amounted to an unreasonable search. The Court conchuded that in this circumstance, Mr. Spencer had a reasonable expectation of privacy in his identity in respect of his online activities. The Court indicated that in this circumstance there was a reasonable expectation of privacy in the subscriber information related to an IP address, and that common law authority did not constitute “lawful authority” as required pursuant to section 7(3)(c.1)Gi) of PIPEDA in order for the police to obtain the information. The Court also found that section 487.014 of the Criminal Code (which did provide immunity from civil and criminal liability for voluntary disclosure) does not create any police search powers. The Court found that in this particular case there existed a reasonable expectation of privacy in a person’s identity and that a reasonable law or exigent circumstances were required to access it. The Court also noted, however, that common law authority of police to ask questions could suffice where there was no reasonable expectation of privacy. In considering the privacy interests, the Court looked at not only the mature of the precise information sought, but also at the nature of the information that it revealed. ‘The Court concluded that there existed sufficient grounds for the police to seek a search ‘warrant or production order in the first instance that would have led to the eventual search of 3 00064Mr. Spencer’s computer. Although the Court concluded that the initial search was in violation of the Chart, it also concluded that the police were acting in good faith and that the evidence in question ought not to be excluded on the basis of subsection 24(2) Charter analysis Impacts of Spencer on Criminal Investigations Subsequent to the SCC decision in Spencer, CSPs are generally interpreting the decision broadly and are reluctant to provide voluntary assistance to police, as were other third party information holders, such as banks. The reluctance in some cases to confirm or deny if an individual was even a customer of a CSP, or had relevant information, has led to challenging situations as this information is ‘tequired for the police to be able to apply to a court for a production order. This has created obstacles for law enforcement which has traditionally relied on a good level of assistance from CSPs, where they provided information voluntarily. In making requests for BSI for national security investigations, there has also been an increased level of concern from CSPs as to appropriate authorities, In the absence of any tool in law designed to compel CSPs to provide BSI, the police have looked at the general production order, for example, which is designed to provide access to a broad scope of information (such as a complete history of Internet activity) as a tool to enable access to BSI. This has cteated challenges as the police are not always in a position at an early stage of an investigation when BSI might be needed to meet the judicial threshold of reasonable grounds to believe that an offence has been committed that is required in order to obtain a general production order. Broader, more invasive search tools also have associated resource and timing implications, as the process of obtaining a court order is more onerous and time-consuming than making a direct request to a CSP. There has also been in some cases reluctance and hesitancy from CSPs to assist in exigent circumstances without a court order requiring assistance. Subscriber Information and Types of Data Some jurisprudence emerged post-Spencer to assist in providing direction, indicating that the SCC in Spencer was not looking at telephone-telated information, and that this information continues to attract litle if any expectation of privacy, consistent with a long line of jurisprudence. Some courts have also considered that an assistance order combined with a transmission data recorder warrant is, appropriate as authority for subscriber information as this information is essential to the effectiveness of the transmission data recorder. Despite this jurisprudence, access to BST remains a challenge for law enforcement in many respects, in the absence of an authority specifically designed to access it. These challenges may also present themselves in meeting Canada’s obligations to its international partners, where BSI is sought from Canada’s CSPs to advance a foreign criminal investigation or prosecution, ‘The distinction between telephones and the Internet from a technology perspective is evolving going forward, as today’s cell phones are increasingly similar in many ways to computer systems — and they can access the Internet. In fact, with Voice-Over-IP (VoIP), residential telephones a 00065themselves are devices associated with an IP address, as well as having a telephone number. Given these changes, the differences from a technology perspective between these types of telephony are less clear in some ways than they used to be with respect to the device as such (telephone or computer). The type of identifier (a phone number versus an IP address) is however seen to be of a different and distinct character when considered by the courts in the above-noted jurisprudence which has been considering and applying the Spencer decision, Basic Subscriber Information: Ensuring Necessary Access Prior to the SCC decision in Spencer, there were challenges in accessing BSI in a consistent manner, as assistance was provided on a voluntary basis, and provided in a variety of ways. Post-Spencer, these challenges have increased because CSPs are concerned about the legalities of providing voluntary assistance. This is due to theie concerns about applying the appropriate level of privacy protection that should be afforded to BSI, and any kind of information about subscribers, which has resulted in a desire to err on the side of caution in many instances. ‘These challenges for law enforcement and government access to BSI have been the subject of a number of proposals for legislative reform. These pre-Spencer proposals focused on ensuring rapid and consistent access to BSI through a system of designated officials and other administrative safeguards. BSI was defined in vatious ways in the proposals - most recently as name, address, phone number, IP address and service provider identifier. Safeguards proposed previously included designated personnel only, record-keeping and auditing authorities. The proposals were the subject of controversy, with criticism focusing on the perceived lack of safeguards for privacy protection and the overall inadequacy of the safeguards, and in particular the lack of a requirement for judicial authorization. ‘Most countties with legal systems comparable to Canada’s provide for access to BSI without judicial oversight. In many jurisdictions, access to BSI is compelled under law through a statute, many of which provide restrictions relating to limiting access as deemed appropriate, in some cases to the type of investigation (such as serious crime ) or the level of personnel (senior officials) or other limitations Any proposals to codify in law a framework for how law enforcement and national security agencies have access to BSI would need to ensure access could be provided in a manner that respected the SCC decision in Spencer and the Canadian Charter of Rights and Freedoms, and would not be overly burdensome for CSPs ot for the agencies requesting the information, 2 See the former Bill C-74 (Moderation of Investigative Techniques Act, 38% Paciament, 1 Session) fox previous Liberal ‘government proposals and the formes Bills C-87 (Teebwical Asistaue for Law Enforcement inthe 21° Century Act, 40% Parliament, 2 Session), C-52 (Dmesigatng and Prevewing Criminal Eletronic Communications Act, 40® Patliament, 3 Session) and C-30 (Protecting Clildren frome Internet Predators et, 41% Pasiament, 1* Session) for previous Conservative government proposals. Liberal MP Marlene Jennings also proposed access to basic subscriber information requirements in several ppivate members bill 000066Pages 67 to/a78 are withheld pursuant to sections sont retenues en vertu des articles 13(1)(c), 14(a) of the Access to Information de la Loi sur I'accés a l'informationANNEX 5 - Investigative Techniques in the Criminal Code, the CSIS Act and the Mutual Legal Assistance in Criminal Matters Act Introduction ‘This annex will include a brief description of the primary investigative tools in the Criminal Code, including search warrants, preservation demands and orders, production orders and wiretap authorizations, and a brief description of warrants under the Canadian Security Intelligence Serve Act (CSIS Ac). It also includes a description of the investigative powers under the Mutual Legal Assistance in Criminal Matters Act (MLACM.A). To access the text of the statutes, please consult the Justice Laws Website (http:/ /laws,justice.ge.ca/eng/).. “Lawful access” has been used in the past as an umbrella term to refer to certain legally authorized procedural powers and techniques, as well as criminal laws, which may come into play when law enforcement and national security’ agencies conduct their investigations, ‘The level of prior judicial authorization required to use these investigative techniques reflects, and responds to the level of intrusiveness of the respective technique and the reasonable expectation of privacy a person has in the information gathered by the use of the technique. Prior Judicial Authorization Law enforcement and national security agencies cannot use investigative techniques (such as searches or wiretaps) without being authorized to do so by law. The collection of evidence can only be carried out under a warrant, court authorization or other lawful authority that targets a specific individual's communications or information and can only be carried out for «a specified period of time, ‘The application for prior authorization is usually heard ex part, which means that the suspect is not part of the court proceeding, Involving the suspect at this stage of an investigation would undermine the police's ability to collect evidence by informing a suspect of the investigation. Depending on the type of judicial authorization, warrant, or order required for the investigative technique, there are two judicial standards that are applied in the Criminal Code reasonable grounds to believe — for information or techniques in relation to which a person has a higher expectation of privacy (Le., email content); and reasonable grounds to suspect ~ Please note that, asa foreign intelligence and information technology secusity agency, the Communications Security Establishment Canada (CSE) does not conduct national security or law enforcement investigations. It also does not direct its foreign intelligence or cyber secusity activites at Canadians or anyone in Canada, As such, the tools discussed in chs annex do nor relate to CSE. 000079for information with a reduced expectation of privacy (€g,, telephone numbers dialled) and for less intrusive investigative techniques. Before a court authorizes an investigative technique, a judge must be satisfied on information on oath by a police officer that there are reasonable grounds for believing or suspecting that an offence has been ot will be committed. In addition, under the higher reasonable grounds to believe standard, a judge must also be satisfied that the use of the investigative technique will afford evidence of the offence. ‘This ‘means that before a judge issues a search warrant, for example, he or she must be satisfied that there are reasonable grounds for believing that an offence has been committed and that the use of that search warrant will result in the seizure of evidence relating to the offence (eg. firearm). Under the reasonable grounds to suspect standard, a judge needs to be satisfied that the use of the technique will also assist in the investigation of the offence. Lower threshold tools, such as a production order for transmission data, are often used at the beginning of an investigation to gather information that will permit police to apply to a judge for a more invasive and comprehensive investigative tool, such as a wiretap authorization, More invasive tools, such as wiretap authorizations, which require the highest levels of judicial scrutiny under Canadian law, require that other conditions be fulfilled before this type of investigative technique may be used. For example, the wiretap may only be used in elation to specified serious offences, the judge must be satisfied that no other less intrusive technique will provide the same results, and that it is in the best interests of the administration of justice to grant such an authorization, Warrants and Orders Although there are a variety of court processes provided for in the Criminal Cade, those that relate to investigative techniques can be generally divided into two categories: Warrants and authorizations, which authorize state actors, such as law enforcement officers, to do something; and orders, which compel civilians to do something, Warrants and authorizations generally authorize law enforcement officers to do something themselves that would impact upon a person’s reasonable expectation of privacy. For example, a search warrant authorizes law enforcement officers to enter a premise and search for evidence of an offence. Production orders, on the other hand, compel a third party to compile documents or data in their possession or control for the purposes of the investigation of an offence. 00080While the search warrant expires once the search has been conducted, the production order is time sensitive and must be complied with by the third patty within the time allotted by the court. Although search warrants and production orders are both used to collect evidence, the production order is used most frequently with cooperative third parties because it is more efficient and less privacy invasive to have the holder of the information search for the information themselves. Production orders allow production of the data or information requested without the inconvenience of police searching the premises of the third party. Search Warrants” ‘A search warrant is an invasive and comprehensive tool used by law enforcement to conduct a search of something, such as a home, computer or car. Because it is a broad search power, itis granted once the conditions have been met under the reasonable grounds to believe standard. Tracking Warrants? ‘A tracking warrant can authorize tracking the location of transactions (ie., where a credit card was used), the location or movement of things (.¢., a vehicle), or the movement of an individual by ideritifying the location of a thing that is usually carried or worn by the individual (i., a cell phone). Warrants for tracking were updated in the Protecting Canadians from Online Crime Act (PCOCA), which came into force in March 2015, to address advances in technology, and in particular, the accuracy of such devices and theit potential for increased impact on privacy, by increasing the level of judicial scrutiny required when they apply to the tracking of individuals using a thing usually carried or worn. In addition to proving that the teacking warrant would assist in the investigation of an offence, law ‘enforcement officers would have to show they have reasonable grounds to believe an offence has been of will be committed in order to obtain authority from the court to track people in this way, while they would only need to demonstrate reasonable suspicion to ‘obtain authority to track transactions or things, such as a vehicle. Transmission Data Recorder Warrants* ‘The new transmission data recorder warrant, brought into law by PCOCA, replaced the old number recorder warrant to make the investigative technique applicable to all tclecommunications. The warrant allows law enforcement to not only collect the call identifying information collected under the old number recorder warrants but also similar information that relates to Internet activity. 2 See Criminal Code, 5487 3 See Criminal Code, 54921 + See Criminal Code, 492.2 00081‘Transmission data has been defined to include all data relevant to the transmission of a telecommunication. It does not include the content of the communication, but information about how the communication got from the sender to the recipient of the communication, With respect to email, for example, transmission data includes certain parts of the header data, such as the email address and the mail servers that transmitted the email, but it does not include the subject line or what a person types in the body of the email Wiretap Authorizations® Since 1974, it has been an offence in Canada to intercept the private communications of another person unless authorized under the Criminal Code, Part VI of the Criminal Cade sets out a number of methods by which law enforcement can be authorized to intetcept private communications, through prior judicial authorization or without prior judicial authorization in emergency situations. As mentioned earlier, the highest level of judicial scrutiny is reserved for wiretap authorizations and because of this, applications often number hundreds of pages and take months to compile to ensure that police can meet the rigorous judicial test. Also, because wiretapping as an investigative technique is by its nature surreptitious, Part VI sets out additional transparency requirements that are not required for the other investigative techniques, including notice to persons who were intercepted and public annual reports on the use of wiretap’ General Warrant” A general warrant can be obtained for investigative techniques that are not otherwise provided for by another warrant, authorization, or order in the Criminal Code. This provision also includes video surveillance warrants, which engage similar powers to wiretap authorizations and also require the enhanced wiretap-related protections. The general warrant can be useful to law enforcement for unique and unusual situations, or new and evolving environments, when prior judicial authorization is required. Assistance Order” In support of any warrant or authorization, a judge may also issue an assistance order, which compels a third party to provide assistance if it is reasonably considered to be required to give effect to the warrant or authorization. For example, when a wiretap authorization is issued, it is often accompanied by an assistance order that would compel the telephone company to facilitate the hook-up of the recording device. 5 Sce Criminal Code, Part VI, forthe framework pertaining to the interception of private communications; for general wiretap authorizations, sce 4.185 and s.186 "The most recent federal report can be found at https://www-publicsafey ge-ca/ent/rsres/pbletns/index- enaspx 7 See Criminal Cod, s 487.01 See Criminal Cad, 5487.02 00082Data Preservation? Data preservation tools were introduced in the Criminal Code in March 2015 by PCOCA. ‘These tools prevent computer data from being deleted while the Crown applies for a judicially authorized warrant or order for its acquisition. Law enforcement does not obtain information under the data preservation tools; these tools only allow for the safeguarding of the computer data from deletion. ‘There are two data preservation tools: preservation demand and preservation order. The preservation demand, which law enforcement can issue and is non-renewable, is valid for 21 days (90 days in relation to international investigations). Preservation orders ate issued by a judge or justice, are valid for 90 days, and can be renewed. Data preservation is often confused with “data retention” but the two are very different concepts. The term “data retention” refers to a general obligation which requires service providers to collect and store certain data for a prescribed period of time, for all subscribers, regardless of whether or not they are subject to an investigation. General data retention is not a requirement in Canada Production Orders*® ‘The Criminal Code contains a number of production orders ranging from those that can compel comprehensive production of data and documents in relation to which there is a higher expectation of privacy, to orders for specific, less private and limited information. The comprehensive general production order is a broad tool! that is used to collect information relating to a specific investigation held by a third party custodian, such as the content of emails, billing records, etc. The general production order may only be issued by the court when law enforcement has reasonable grounds to believe an offence has been, or will be, committed and the document or data to be produced will provide evidence of the offence. The high level of judicial scrutiny for this investigative tool reflects both the broad scope of the tool and the potential for a greater expectation of privacy a person can have in the data and documents that can be obtained by its use. Production orders were first included in the Criminal Code in 2004. In March 2015, PCOCA added three new low threshold production orders in the Criminal Code to assist police at the ‘earlier stages of investigations. These new production orders provide police with tools to collect transmission data, tracking data, and tracing data, which were added to the existing production order for basic financial data. The data or information that can be obtained ° See Criminal Cad, s 487.012 (preservation demand) and s.487.013 (preservation ordes) 1 See Criminal Cod, s 487.014 (general), 5487-015 (teacing), $487,016 (transmission data), 8 487.017 (tracking data), 487.018 (Ginancial data) 00083under such production orders may be of a personal nature, but is not information that is revealing or in relation to which there is a high expectation of privacy. CSIS Warrants ‘The CSIS Act sets out the Canadian Security Intelligence Service’s (the Service) mandate, including its collection authorities. The Service is mandated to collect, by investigation ot otherwise, to the extent that it is strictly necessary, information respecting activities that may ‘on reasonable grounds be suspected of constituting threats to the security of Canada. The threats the Service is authorized to investigate are defined in the CSIS Ad. ‘The power to authorize the use of intrusive investigative techniques by the Service, such as the interception of communications, rests solely with the Federal Court of Canada, Before such an authorization can be made, the Service must provide a solid justification for the proposed use of the technique and must obtain the approval of the Minister of Public Safety. If the Minister approves, an application is made to the Federal Court, which may issue a warrant if it is satisfied that all the requirements as set out in the CSTS Act, are met. Only after the warrant is issued can the Service proceed with the technique. Of note, the CSIS Act sets out a number of specific requirements related to the warrant application, including that it must specify matters including, but not limited to: * The facts relied on to justify the belief on reasonable grounds that a warrant is required by the Service; © That other investigative procedures have been tried and have failed or why it appears they are unlikely to succeed; and © That the urgency is such that it would be impractical to carry out the investigation using only other investigative procedures. The CSIS Act also contains provisions for assistance orders." A judge may order any person to provide assistance if the person's assistance may reasonably be considered to be required to give effect to a warrant. MLACMA Powers “The Mutual Legal Assistance in Criminal Matters Act (MLACMA) is Canada’s legislative authority to assist foreign partners in obtaining evidence and other assistance for their criminal investigations and prosecutions. Under the MLACMA, Canada has the ability to obiain court orders on behalf of foreign partners, including search warrants, production orders and subpoenas. 1 See CSIS Aas, .22.3(1) 00084PCOCA amended the MLACMA by incorporating, by reference, the new Crinrinal Code production orders and the new tracking and transmission data warrants described above. These amendments also created a more streamlined process for obtaining and sending evidence obtained pursuant to such orders and warrants to Canada’s foreign partners. ‘These powers form an essential part of Canada’s law enforcement toolkit. Without the ability to assist foreign partners with their investigations, Canada would not be able to, in tur, seek assistance from them to obtain digital evidence. 0008s