We spoke with Canada’s top privacy official about encryption and the RCMP.
On paper, the Office of the Privacy Commissioner is Canada's top privacy watchdog, a mantle that exudes a "buck stops here" aura of authority.
The reality is pretty different.
When it comes to overseeing Canada's cops and security agencies, the privacy commissioner is uncomfortably toothless. Although government policy dictates that all agencies and departments consult the privacy commissioner regarding any new initiatives that have privacy implications, that doesn't always happen.
When the Royal Canadian Mounted Police, or RCMP, decided to start fishing around for facial recognition tech, they didn't bother to tell the OPC, as the office is known. When a prison in Warkworth, Ontario, decided to install a Stingray-like surveillance device in its facility, the OPC was similarly unaware, it told Motherboard at the time.
"Encryption is one of the best tools to protect privacy, and it needs to be promoted, used, and protected"
With the passing of Bill C-51 last year, an anti-terror law that was widely criticized for giving police new and overreaching surveillance powers, and a recent Motherboard and VICE News investigation that revealed the RCMP hold the global decryption key for any and all consumer BlackBerry communications, it's clear that the privacy commissioner's role has become more important than ever.
In an uncommon one-on-one interview, I sat down with privacy commissioner Daniel Therrien at this week's International Association of Privacy Professionals conference in Toronto to talk about the role of privacy-protecting technologies like encryption in Canada, and why the OPC always seems to be playing catch-up with the cops.
Motherboard: Do you believe there needs to be a debate in Canada about balancing the use of encryption by citizens to protect their privacy, and the priorities of police? And what is your position on that issue?
Daniel Therrien: For sure, this needs to be discussed in Canada. The same issues, the same technology, the same need for the police or national security agencies to get access to information to do their job and identify criminals and terrorists, exist in Canada as they do in the US, Europe, and many other places.
It's a very tough nut to crack, this issue of the balance between encryption in this case and the need for the police to have access to some information. I don't think anybody has the exact answer to where to draw the line. I would say that there's no question that encryption is extremely important to protect the privacy of Canadians, including the vast majority of law-abiding citizens, obviously.
Encryption is one of the best tools to protect privacy, and it needs to be promoted, used, and protected. That's one side of the coin.
On the other side of the coin, the police and national security agencies also have a legitimate job to do, to get at information that will help them identify threats of criminality or national security. An important limitation to their powers is that they need to act according to the law. To me, there's a huge difference between police and national security agencies acting pursuant to a clear legal authority, or to a warrant. That is a situation where law enforcement agencies are able to implement the legal authorities that they have when they are clear and reasonable.
But when we get to issues like warrantless access, when the legal authority is much less clear, that is a different matter.
Encryption absolutely needs to be there, and promoted. The police have a job to do, but they have to do it within the law. We've seen many examples of attempts by the state to get access to that information in a warrantless way, and that is of concern.
"Often we see that the policy is not necessarily respected"
It seems like the Office of the Privacy Commissioner is sometimes the last to know about law enforcement initiatives that have clear privacy implications. For example, the RCMP soliciting facial recognition technology, or a prison using a Stingray-like device. Do you have a plan to change this?
On the RCMP device, we found out after the fact that the RCMP was sending out tenders for companies that might have this equipment without, they say, the intention in the short term to use facial recognition. So, that's a nuance on the facts.
On playing catch-up, we can only advise on issues that we're informed on. That's in part why I said in the recommendations to amend the Privacy Act that federal institutions—departments and agencies—should have a legal obligation to inform the Privacy Commissioner's office of initiatives, programs, that involve privacy. Currently, it's under a policy that this is done, and often we see that the policy is not necessarily respected.
If this became a legal obligation, as it exists in certain jurisdictions—and some of them in Canada, provincially—we think it's more likely that we will be informed.
Returning to your point about warrantless access, we saw in a recent investigation by Motherboard and VICE News that the RCMP acquired the global decryption key for any and all consumer BlackBerry devices. We have no reason to believe that any of this was done without a warrant or legal consent. If the law allows this to take place, is the law too permissive?
That's certainly possible.
When Bill C-13 was before the house, I made comments along those lines. This was a bill that purported and did actually provide additional powers to law enforcement, which we said did not have the right threshold in terms of reasonable grounds to believe that a certain criminal act was committed before certain powers were used. It is absolutely possible.
But here, in these situations, we do know, because the introduction of legislation is a very public act. We can intervene and make comments. We would obviously prefer that our advice was heeded more often, but at least there we have the opportunity to make comments.
And yes, sometimes the government goes too far in the legislation that it puts forward.