Read before crossing

If you’re like us at the BCCLA National Security Blog, you store a lot of personal and private information on your laptops, smart phones, and other portable electronic devices. Today, we published a handbook (and a pocket guide!) to help you keep your information private when crossing the border into Canada. Why a handbook about border searches? Because the threshold for constitutionally-permissible search and seizure is lowered at the border, and because electronic devices — which can contain vast amounts of sensitive and personal information — are increasingly becoming the target of border searches.

So check out our handbook (which will get updated as the law and technology changes, in this rapidly evolving area), and our pocket guide (available for you to download and print out and fold into something wallet-sized). (And because we can’t help but brag a little: we made it onto Boingboing!)

Access this

This morning, the government tabled its so-called “lawful access” bill — which, if enacted, would enormously expand the ability of law enforcement agencies to engage in telecommunications surveillance (and for certain types of information, without even the benefit of a warrant).

This was hardly unexpected — in the run-up to finally tabling the legislation, Public Safety Minister Vic Toews has been launching preemptive strikes against those who would criticize the proposed legislation, accusing them of “aligning themselves with child pornographers.”

BCCLA Policy Director Micheal Vonn has been on media outlets all morning, giving her take on the proposed legislation, so we’ll be back with a round-up of her commentary. In the meantime, we wanted to share with you some resources to help make sense of these bills.

Last month, the BCCLA issued a report on “lawful access” legislation, in anticipation of today’s bills. What is “lawful access”? Well, we of course encourage you to read our report in full, but here’s a teaser:

“Lawful access” refers to the ability of law enforcement and intelligence agencies to lawfully conduct surveillance, and intercept or collect personal information of individuals, for example, by means of a search warrant. . . . The proposed new legislation takes advantage of new technologies, new modes of communication and new social practices to significantly expand access by law enforcement agencies to the personal information of individuals. Indeed, while referred to as “lawful access” powers, the lawfulness of some of these powers under the Charter of Rights and Freedoms is questionable.

For a quick primer on “lawful access” and why these bills are deeply problematic, we commend to you Michael Geist’s very information FAQs: Everything You Always Wanted to Know About Lawful Access, But Were (Understandably) Afraid to Ask.

Check out also (un)Lawful Access, a 15-minute video featuring interviews with Canadian experts (and produced by our colleague Kate Milberry).

And in the past, the Privacy Commissioners in Canada have also expressed their concerns about previous iterations of today’s lawful access legislation. The Information and Privacy Commissioner of Ontario made submissions to the Minister of Justice and Attorney General of Canada during the 2005 lawful access consultations. Last year, Privacy Commissioner of Canada Jennifer Stoddart sent an open letter to the Minister of Public Safety outlining her serious concerns about potential lawful access legislation.

If all of this has gotten you riled up, send a message to your MP via Open Media’s site.

Update (April 15): Here’s some of the BCCLA’s commentary in the media yesterday.

CBC: Online privacy erosion dismays critics

Georgia Straight: Court challenge likely if online surveillance bill passes, suggests B.C. civil rights advocate

Contrariwise, if it was so, it might be; and if it were so, it would be; but it isn’t, it ain’t.

Contrariwise, if it was so, it might be; and if it were so, it would be; but it isn’t, it ain’t. That’s logic. (1)

Happy 2012 from the BCCLA National Security Blog. We start off the year with a report that the Department of National Defence has decided to extend the protections of Canada’s Privacy Act to detainees captured by Canadian Forces operating in Afghanistan.



According to media reports, the DND’s invoking the detainees’ privacy rights as a means of resisting disclosure of photographs.

By way of background, Paul Champ and Amir Attaran sought, via an Access to Information request, photographs of detainees captured by Canadian Forces in Afghanistan. They had originally requested these photographs to determine whether they contained any evidence of detainee torture or abuse. Their request was refused.

Such secrecy and refusal to disclose even basic information about the treatment of CF-captured detainees is nothing new, of course. Readers of these pages will recall how difficult it was for the MPCC — and even Parliament — to get documentary disclosures relating to Afghan detainees from government. To test how far the government was willing to keep information about detainees out of the public eye, Professor Attaran modified his request: if maintaining the detainees’ privacy rights was a concern, then he would be willing to accept photographs that completely blacked out the detainees’ faces, but left their hair-styles unobscured. His request was again refused, despite a recommendation from the Information Commissioner of Canada that the blacked-out photographs be released.

The Ottawa Citizen is now reporting that the DND withheld these photographs based on a theory that their release would violate the detainees’ privacy rights. As reported:

“National Defence will not follow the recommendation made by the Information Commissioner of Canada regarding disclosure of photographs covered by this file and is prepared to defend the decision in court if necessary,” Julie Jansen, head of DND’s Access to Information branch, wrote in the October 2010 briefing note.

Jansen argued the photographs constituted “personal information” of the insurgents and releasing images of their hairdos would “probably cause injuries related to national security.”

The privacy rights of detainees are important, certainly. In fact, the Geneva Conventions make clear that proper treatment of prisoners of war means that their photographs should not be disseminated in any way that could be seen as degrading or humiliating them. But in the case of the photographs being requested by Professor Attaran, it’s far from clear as to what privacy rights are being protected by withholding their disclosure. And for the government to invoke the rights of the detainees in an effort to shield itself from public accountability and scrutiny is nothing short of astounding. We can’t put it any better than Professor Attaran:

“The same government that says those detainees have no rights under the Charter of Rights and Freedoms now embraces the idea that detainees have rights under the Privacy Act,” he explained. “The government’s position is that these persons have privacy rights but no constitutional right to avoid torture.”

And indeed, legal experts are already suggesting that by extending the jurisdiction of the Privacy Act to Afghan detainees, the government may be (inadvertently?) setting the stage for an argument that the protections of the Charter — our most basic law — should be likewise available.

This isn’t the first time we’ve heard the government invoke the Privacy Act and the need to protect detainees’ privacy rights, at the expense of ensuring accountability for violations of fundamental human rights. During the course of the Afghan Public Interest Hearings at the MPCC, the government made the argument that members of the military police didn’t have any reason to launch an investigation into whether detainees were being transferred to torture and abuse because they had no reason to suspect that detainees were being tortured, or that Canadian commanders disregarded the risk of torture. The subjects of the MPCC complaint largely claimed that they weren’t aware of first-hand accounts of torture and abuse, notwithstanding the fact that some of these reports were documented by Canadian diplomats and provided to Canadian military commanders. Furthermore, it was argued, members of the military police could not have reasonably been expected to know or access information relating to detainee abuse and torture because it would violate the detainees’ privacy rights.

And so (again): in the name of protecting detainee privacy, government shuts the door to any scrutiny of its conduct, to any attempts at discerning what has happened to the men and children our troops have delivered to the Afghan government, and to any true accountability to the Canadian public.

(1) h/t Lewis Carroll.

“Once you give the name to the Americans, that’s the end of the game.”

This week, Neil Macdonald at the CBC has been reporting on WikiLeaks cables illustrating how Canada shares intelligence on Canadian citizens and residents with the United States. That CSIS routinely shares intelligence with the U.S. should come as a surprise to no one, of course. That CSIS provides details to the U.S. with names and personal details of Canadians “suspected” of what CSIS refers to as “terrorist-related activity” should perhaps also not be too surprising, either, given what we learned during the Arar Inquiry and other similar proceedings. What is surprising — and alarming — is how little evidence of wrongdoing, or even suspected wrongdoing, is required before a Canadian is named a terrorist threat. As the CBC reports:

The criteria used to turn over the names are secret, as is the process itself.

But a new cache of WikiLeaks documents pertaining to Canada lays bare the practice. It contains not only frank assessments by U.S. officials of Canadian co-operation, but the names of 27 Canadian citizens turned over by their own government as possible threats, along with 14 other names of foreign nationals living in Canada.

In at least some cases, the people in the cables appear to have been named as potential terrorists solely based on their associations with other suspects, rather than any actions or hard evidence.

Of the 41 people named, 21 do not appear to have ever been charged, and some had never come to the attention of the Americans before being named by their own government. Most of the remaining 20 names comprise the group known as the Toronto 18. Some of that group were charged and convicted; others had charges against them stayed.

The cables are a snapshot of periods in 2009 and 2010. Over the years, the number of names handed over is certainly much higher.

The experience of Maher Arar has taught us of the terrible consequences that can flow from cavalier designations of individuals as terrorist threats. Acting on faulty intelligence supplied by the RCMP, the United States arrested, interrogated, and renditioned Arar to Syria, where he was tortured. The Arar Commission ultimately found that the actions of Canadian authorities led to his mistreatment at the hands of the Americans, and recommended that strict limitations be placed on how information about Canadians is shared with foreign governments. This recommendation has yet to be implemented, and indeed, as the Council of Canadians points out, the Canadian government is actually working to increase the flow of personal information from Canada to U.S. government databases.

But as Paul Cavalluzzo, lead counsel for the Arar Commission, told the CBC, “Once you give the name to the Americans, that’s the end of the game.”

And the process for naming, as reported by the CBC, is distressingly faulty:

… as Cavalluzzo points out, the process is secret, with no judicial oversight, and takes place without the knowledge of the individual being “targeted.”

“It certainly doesn’t meet any criteria of due process in the sense that the individual has no representation whatever. Don’t tell me there’s a devil’s advocate. That and a dollar will get you a cup of coffee.”

And nor, does it seem, there be any requirement of evidence that the named individual has actually engaged in criminal conduct or is even suspected of engaging in criminal conduct. As we’ve said before in these pages, the anti-terrorism laws in Canada’s criminal code are breathtakingly broad in scope, and offences run the gamut from “facilitation” and “harbouring” to conspiracy, threats to commit a terrorist act, and to the actual terrorist act itself. Without even a requirement of reasonable suspicion to commit any sort of criminal offence, individuals can be deemed terrorist threats and their names provided to the U.S. government.

As if all this wasn’t troubling enough, the CBC reports today that one of the individuals named in the cables as a potential terrorist is Mubin Shaikh,  a Canadian citizen and CSIS operative whose testimony was critical in securing convictions in the Toronto 18 terrorism trials. As Neil Macdonald points out, Shaikh’s inclusion on this list can only really mean two things.

The first is that the listing process employed by CSIS is seriously flawed, and resulted in the incorrect designation of a Crown agent as a terrorism suspect, exposing him to all of the attendant consequences flowing from being named a potential terrorist.

The second is that Shaikh’s inclusion on the list is not a mistake, and that the Canadian government did legitimately suspect him to be involved in terrorist activities. In which case, the question becomes why this information was not provided to the defendants in the Toronto 18 trials, where Shaikh’s evidence was crucial to the Crown’s case. Indeed, this is the question that counsel for the defendants are asking now, and demanding that the government answer. As reported in the CBC:

“It was his evidence that took them all down,” Alberta lawyer Dennis Edney told CBC Wednesday night. Edney represented Fahim Ahman, a ringleader who eventually pleaded guilty and remains in prison.

“Most of the warrants for wiretaps that were obtained were obtained as a result of conversations he had with the suspects.”

“It takes your breath away,” said Mitchell Chernovsky, a lawyer who represented another of the Toronto 18. “It rings alarm bells all over the place.”

Both Chernovsky and Edney said they would probably make formal demands to the Crown, asking why they were not told of whatever information led CSIS to denounce Shaikh to the Americans. Defence counsel are legally entitled to disclosure of all such information, in order to prepare their cases.

And these cables likely represent just a small sampling of the names provided to the Americans in recent years. The number of names provided is likely to be much higher than the 41 reported in the WikiLeaks cables, so it’s unclear how many more cases like Shaikh’s there are. Given the extreme secrecy of intelligence sharing, it’s also impossible to know whether adequate safeguards are in place to ensure that there are controls over the use of personal information by foreign governments.  What is clear is that some true accountability mechanism must be available to ensure that individuals are not branded as terrorists and their personal information disclosed to foreign governments without any limitations. So far, however, CSIS isn’t responding to CBC’s request for comment on its stories, and it isn’t providing the public with any real answers either, so it remains unclear whether — and how — the rights and security of Canadians are being protected.

ETA: National security expert Wesley Wark provides his views on the implications of Shaikh’s listing in the Ottawa Citizen.

Back from hiatus! (briefly)

So one of our readers pointed out recently that the National Security Blog’s long overdue for an update, and he’s absolutely right, especially given the things we’ve been up to recently.

  • In November, hearings resumed at the Military Police Complaints Commission on the transfer of Afghan detainees to risk of torture.  The Commission heard testimony from all of the subjects of the complaint — the senior members of the Military Police who would have had responsibility to ensure adequate investigations into whether the Canadian Forces were properly transferring detainees to Afghan authorities.  Cross-examination of these witnesses was conducted by our pro bono counsel Paul Champ, BCCLA Litigation Director Grace Pastine, and BCCLA Counsel Carmen Cheung.  The evidence we heard was distressing:  again and again, senior members of the Canadian Forces Military Police informed the Commission that they never initiated meaningful investigations into the transfers, despite the fact that transfers had to be halted following one of many reports of detainee abuse by the Afghans.  One witness even told the Commission that he didn’t know which country the CF was transferring to.  We’ll be back in Ottawa and before the Commission in early February, as it hears final submissions from all of the parties.
  • While Grace and Carmen were at the MPCC, BCCLA Policy Director Micheal Vonn was down the street, testifying before the Standing Committee on Transport at the House of Commons on Bill C-42 and the US Secure Flight Program, and our concerns about the imposition of a foreign blacklist on Canadian soil.

Some things we’re keeping our eye on too, in the coming months:

  • The Federal Court’s three decisions concerning Mohamed Harkat, one of the remaining individuals subject to the federal government’s deeply troubling security certificates regime.  In its rulings, the Federal Court approved the reasonableness of the security certificate against Harkat, which permits the government to maintain Harkat’s virtual house arrest.  It also affirmed the constitutionality of the new security certificate regime, which was modified following the Supreme Court of Canada’s ruling in an earlier case involving Adil Charkaoui, whose own security certificate was eventually struck down.
  • The Standing Committee on Public Safety and National Security started hearings this week on Bill C-17, which seeks to reintroduce into the Criminal Code so-called anti-terrorism legislation permitting investigative hearings and preventative detention without charge.  The BCCLA is on the Committee’s list of witnesses; hearings on the measure are expected to resume following Parliament’s holiday recess.

And speaking of holiday recesses, the National Security Blog will be back in the new year with our updates and commentary, so we’ll see you then.

CBSA laptop search documents

In late February, shortly after the story we posted about the Canada Border Services Agency delaying our request for documents on their policies on searching laptops and other personal electronics, a slim brown envelope arrived in our office. The response came just over two weeks after the extended deadline the CBSA set for itself had expired. The delay was frustrating, but not nearly as long as we’d feared given the abysmal state of access to information responses from other governmental agencies.

Image: jasonunbound on Flickr

Now that we’ve had a chance to go through the documents, there were few surprises. The documents provided by the CBSA were disorganized and still fail to provide a clear and complete picture of CBSA policies and practices on data search and retention. In the end, the documents raised more questions than they answered, but are fairly interesting in their own right, if only for the glimpse into the institutional culture of the CBSA they can provide.

Many categories of important information were completely redacted or exempted from disclosure. Some of the redactions were legitimate—legal opinions, for instance, would generally be covered by solicitor-client privilege. Other omissions were less convincing, and the practice of redacting in white rather than in black left it unclear whether information was missing or not. Some areas of the request were completely ignored or omitted. For instance, we asked for statistics on how many searches of personal electronics had been conducted. These statistics were not even referred to in the documents provided.

The BCCLA has filed another complaint with the Office of the Information Commissioner, this time regarding the exemptions and redactions from the documents provided by the CBSA in response to our request. For now, here’s a review of some of the highlights of the documents we have received:

The consistent:

  • CBSA policy states that “the difference between a paper document and information stored electronically is only the medium it is stored on” (A-2009-01850-Vol2 on p. 5). We can think of lots of other differences—the kind and quantity of information that is regularly brought across the border by travellers bringing their laptops and smart phones, for instance—but this fits with what we had learned about CBSA search practices.
  • The CBSA spends a lot of time thinking about child pornography. We’d always assumed this was the case, but the documents show that an entire chapter of the Customs Enforcement Manual is dedicated to the subject (A-2009-01850-Vol4).
  • The CBSA can and does perform laptop searches at random, but “will only scan or peruse a document to the extent necessary to either confirm or negate its association to an offence or intelligence concern” (A-2009-01850-Vol2 on p. 2).
  • Most screening is not at random, relying instead on various “indicators” including “known importers, exporters, known export locations (specific locations or geographical areas), the nature of the goods being imported (commodities known to be suspect) and/or information disseminated through regional or headquarters intelligence channels. … Officers should also be aware of high-risk geographical locations for child sex tourism” (A-2009-01850-Vol4 at p. 6). Specific indicators and suspect nations were redacted from the documents CBSA provided us. However, from court documents filed in the case of former Bishop Raymond Lahey, we know that “border officials flagged Lahey because he was a man travelling alone and his passport showed several trips to Southeast Asia, Germany, Spain and other areas known for child pornography”.
  • Screening also relies on various databases, including the Integrated Primary Inspection Line system (IPIL) and Integrated Customs Enforcement System (ICES) for primary screening, and Field Operations Support System (FOSS), the Canadian Police Information Centre (CPIC), National Crime Information Center (NCIC), the sex offender database, Treasury Enforcement Communications System (TECS), and Police Information Records System for secondary screening (PIRS) (A-2009-01850-Vol6 on p. 14).
  • The “Electronic Media Search Form” sets out a lot of what CBSA officers are looking for when they decide to search a computer. Officers will look for user accounts visible on the login screen, note the operating system, any encryption, and provides space for passwords provided, but also a box for “password not located”. There are also suggested image and keyword searches to guide officers (A-2009-01850-Vol6 on p. 6-8).

  • The CBSA has software to assist border agents with laptop searches. If, after an initial search, the border agent feels further scrutiny is required, he or she uses software called ICWhatUC to scan images stored on the traveller’s hard drive. ICWhatUC only works on Windows machines. It scans for image files on a computer, including images in the web browser’s cache, image files with strange file extensions (like .doc instead of .jpg) and files in the recycle bin. Deleted files and files in archives do not show up. We’ve purchased a copy of the law enforcement version of ICWhatUC and will be doing an analysis of its capabilities and limitations in another post this month.

The weird:

  • A Powerpoint presentation illustrates the physical size of media that it is possible to store on media of various capacities. For instance, “one meter (or close to a yard) of shelved books” is about 100 megabytes, while a “pickup truck filled with books” is about 500 megabytes of data (A-2009-01850-Vol7 on p. 4). A USB key could “contain a stack of paper (8.5×11), 35 feet higher than the CN tower” that “would take two years to print @ 24/7” (A-2009-01850-Vol7 on p. 1).
  • Another bizarre Powerpoint charts porn vs. time, showing that every second $3075 is spent on pornography, 28258 internet users are viewing pornography, and 372 people are typing adult search terms into search engines (A-2009-01850-Vol7 on p. 3). It follows this information up with statistics on youth viewing pornography, and then directly to statistics on seizures of child pornography (p. 4). This disingenuous attempt to link legal, adult pornography with the production and distribution of child pornography in its training materials may be part of the reason for CBSA’s continued targeting of legal materials it finds objectionable, like artsy queer films.
  • A chart breaks down the difference between “child pornography” and “not child pornography”, in case there was any confusion (A-2009-01850-Vol4 on p. 16). This chart seems to be common sense, but given some of the ridiculous accusations that have been made in the past, it’s probably a good thing that CBSA agents are provided with this handy cheat sheet:

A later document notes another example: “Japanese Anime – most not child porn” (A-2009-01850-Vol6 on p. 13).

The missing:

Five key areas were not addressed adequately (or at all) in the CBSA’s response to our request:

  1. Criteria for selection of individuals for device inspection. Information was referred to, and some information provided, but the contents of these sections were heavily redacted.
  2. Policies for copying and retention of electronic information. Some information was provided, but it only referred to cases where potentially criminal conduct was detected during the CBSA’s initial search. Further information is required here.
  3. Statistics on the number and kinds of devices inspected.
  4. Demographic information on individuals whose devices have been inspected.
  5. Policies for the distribution of electronic information copied from electronic devices to other government agencies.

These areas make up the substance of our second complaint to the Information Commissioner.

Overall, the CBSA’s lack of transparency on this important issue is discouraging. While their policies on searches appear to be quite similar, the CBSA has not been as forthcoming with information as even the secretive U.S. Department of Homeland Security, which has made its policy publicly available.

The documents:

As promised, we’ve made all the documents we received available online. Download them and have a look through them yourself. If you see anything of special note, have your own story of having your electronics searched at the Canadian border, or have something to add, please let us know in the comments or by email: [greg]@[bccla].[org]

Databases: We’ll show you ours if you show us yours

The Afghan detainee file has been taking up a lot of our time lately, but the BCCLA national security team hasn’t dropped the ball on other issues.

One area we’ve been watching is transnational data sharing, especially between Canada and the United States. Canada and the U.S. have been sharing police records since the Reagan era, and the relationship has only become cozier since 2001. An article in the USA Today illustrates just how close that relationship has become:

Thousands of times each day, Canadian authorities tap into sensitive U.S. government databases to check the criminal histories of U.S. citizens who are crossing the border or have been entangled in the Canadian criminal justice system, FBI records show.

During the Winter Olympics, Canadian authorities ran nearly 10,000 criminal history checks per day, more inquiries than some U.S. states perform each day, FBI records show.

Even more Canadian citizens receive similar scrutiny by U.S. officials with access to Canadian records, according to RCMP records. Since January, Canada has conducted 400,000 queries and the U.S., 1.4 million.

Systems used that widely have a gross potential for abuse. We wouldn’t just trust another nation to troll through our most sensitive records, would we? There must be some oversight built into the system, right? Wrong:

The U.S. has no independent authority to audit Canada’s use, Weise says, and Canada has no authority to police U.S. queries of its system. Weise and RCMP Sgt. Greg Cox say the two countries conduct regular internal audits of their own use.

Well, if it’s widely used and there’s absolutely no accountability, we shouldn’t be worried if we’ve nothing to hide, right? Wrong again:

Canada’s access to such detailed — and possibly outdated — personal histories of U.S. citizens, including decades-old misdemeanors, can result in wrongful detention, interrogation and foreign travel bans.

About half of the arrest records in the system have not been updated to reflect convictions, dismissals or acquittals, Weise said, adding that local law enforcement agencies are responsible for giving the FBI updated information.

So to sum up: Border agents in Canada and the United States have unlimited access to the other country’s criminal databases. There are no checks and balances to ensure that U.S. use of the Canadian system is appropriate, and vice versa. Even if our border guards are using their database access appropriately, the information in the database is wildly inaccurate and out of date, often resulting in wrongful detention, embarrassing interrogations and searches, or even travel bans.

Despite these enormous problems, we’re still rushing to share even more information between our nations. This week, BCCLA Policy Director Micheal Vonn is off to Ottawa to appear at a parliamentary committee meeting discussing the Passenger Protect Program and plans to bring the U.S. No-Fly List to Canada. We’ll have more on that when she reports back.