1 / 66

Surfing While Muslim

Surfing While Muslim. Privacy, Freedom of Expression and the Unintended Consequences of Cybercrime Legislation. CoE Convention on Cyber-crime. Feb. 1997 Council of Europe committee tasked to draft “binding legal instrument” to deal with computer-related offences,

kaoru
Download Presentation

Surfing While Muslim

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Surfing While Muslim Privacy, Freedom of Expression and the Unintended Consequences of Cybercrime Legislation

  2. CoE Convention on Cyber-crime • Feb. 1997 Council of Europe committee tasked to draft “binding legal instrument” to deal with • computer-related offences, • substantive criminal law, • international coercive powers and jurisdiction • April 2000, first public draft (Draft 19)

  3. Canada signs • Nov. 2001, Canada and 30 other nations sign the Convention on Cyber-crime • Canada only one of four non-CoE members to sign treaty

  4. Ratification • August 2002 - Lawful Access Consultation Document • Proposes amendments to Criminal Code and other statutes

  5. Lowering the bar • Most worrisome, new powers to compel records held by third parties, i.e. ISP subscriber records • Under a lower standard than now applied to other types of investigative powers, i.e. wiretaps, search warrants

  6. Do police need new legal powers? • Presumption that gov’ts introduce laws to remedy specific problems • new tech. allows criminals to commit crimes that we can’t detect, investigate or prosecute

  7. Where’s the evidence? • Public roundtables: no answers • freedom-of-info requests to Sol-Gen, DoJ, and Industry • Where’s the evidence that we need to dilute historical protections? • 8 mos. later Sol.-Gen. responds

  8. Solicitor-General responds “Law enforcement and national security agencies are simply asking that the same information that has been available to them when criminals and terrorists used mail and rotary telephones be available to them now.”

  9. Dartmouth report • Dartmouth ‘Needs Assessment’ • Info often technically difficult to collect • Lack of extra-jurisdictional coordination • Lack of tech. tools and training

  10. If we do sign, what are our obligations? • Art 18: Signatories must adopt ‘production orders’ to compel third parties – individuals or organizations – to produce • “specified computer data” = anything on a computer • “subscriber info” • Under their custody or control • Lawful Access: key amendment required to ratify

  11. Lowering the bar • “[I]n light of the lower expectation of privacy in a telephone number or Internet address, as opposed to the content of a communication… [a] specific production order could be created under a lower standard” • Targeted at “traffic data”

  12. Traditional thresholds for electronic surveillance • Rigorous legal framework for lawful interception of private communications • Strict procedural safeguards in Criminal Code, i.e. must have ‘reasonable and probable’ grounds on ‘information and belief’ that an offence has been or will be committed • Subject to Charter

  13. Justifications for lower thresholds? • More efficient? • Production orders less invasive? • “…no entry into and search by law enforcement of the premises of the third party…”

  14. 4 Criticisms • Overemphasis on physicality • “less intrusive” does not mean “more reasonable” • Lack of appropriate remedy • Public inferences about private activities

  15. 4 Criticisms: Overemphasis on Physicality • Del Zotto v. Canada (Minister of National Revenue) - that a reasonable expectation of privacy is not founded on the location of the information in which the expectation is held • R. v. Edwards - “an interpretation of the degree of intrusiveness is not a matter of where the information… is located, but to what extent disclosure… would impact the reasonable expectation of the individual’s privacy”

  16. 4 Criticisms: ‘Less intrusive’ does not mean ‘more reasonable’ • Assumes third party search more reasonable because it is less intrusive • U.S. v. Bach, 310 F.3d 1063, 1065 (8th Cir. 2002) • Yahoo! Technicians do not selectively choose or review the contents of a subpoenaed account, but simply hand over entire contents

  17. 4 Criticisms: Availability of Remedial Measures • How can you challenge a search you don’t know about? • Much less likely to know about a third party search • R. v. Rahey, [1995] 4 S.C.R. 588 at para. 111 “The question of breach must... be assessed in terms of the interests protected by the section and such remedy as the court can provide to secure them.”

  18. 4 Criticisms: Availability of Remedial Measures • Gov’t would foist responsibility for seeking remedies on parties with no standing under s. 24 (Charter) “Anyone whose rights or freedoms, as guaranteed by this Charter, have been infringed or denied may apply to a court…” • Excludes ISPs and other intermediaries even were they so inclined to take up this role

  19. CAIP & Privacy • Can. Assoc. of ISPs (CAIP) has been ambiguous about protecting subscriber privacy • Code of Conduct and Privacy Code indicate no disclosure except as required by law • Leave door open w/explanatory language • not every provider is a member

  20. 4 Criticisms: Public inferences • Ignores capacity of new tech. and new public-private relationships to draw public inferences about private activities • Location becomes less relevant in determining severity of intrusion

  21. Gov’t argues there is precedent • proposalsuggests that new, specific production orders analogous to ones used under ITA, Competition Act, and fordial number recorders, etc. are precedential

  22. No precedent • Not difficult to distinguish these categories • Tax info collected for regulatory, not criminal purposes • DNRs reveal much less about the ‘biographical core’

  23. Regulatory/Administrative vs. Criminal • Inquisitorial and compulsive nature of criminal investigations much higher • Triggers higher safeguards

  24. Criminal Investigations Attract Greater Scrutiny • BC Securities Comm. v. Branch, [1995] 2 S.C.R. 3 – biz docs have lesser privacy rts than personal records • R. v. Fitzpatrick, [1995] 4 S.C.R. 154 at para. 49 – records statutorily compelled as a condition of participation have little expectation of privacy (fishing records)

  25. Criminal Investigations Attract Greater Scrutiny • Dagg v. Canada (Minister of Finance), [1997] 2 S.C.R. 403 – biz records attract lower expectation not b/c of any label, but because of what these records typically contain • R. v. Plant, [1993] 3 S.C.R. 281 at 293 – hydro billing records did not reveal intimate details because electricity consumption reveals very little about our personal lifestyles

  26. Criminal Investigations Attract Greater Scrutiny • Even if you disagree with the result in Plant, the court engaged in the appropriate contextual analysis • Left the door open to properly assess the impact of new tech.

  27. Section 8 of the Charter • Everyone has the right to be secure against unreasonable search or seizure. • Leading cases on s. 8 is R. v. Plant, [1993] 3 S.C.R. 281 • ‘biographical core’ concept

  28. The ‘Biographical Core’ “It is fitting that s. 8 of the Charter should seek to protect a biographical core of personal information which individuals in a free and democratic society would wish to maintain and control from dissemination to the state." This "would include information which tends to reveal intimate details of the lifestyle and personal choices of the individual.”

  29. The ‘Biographical Core’ • Phrase is evocative, but unfortunate • ‘core’ implies centrality, permanence and fundamental quality which belies ease of association/disassociation • Very few categories of data protected by enumeration in statute • Such an interpretation would ignore context

  30. Context is important in • Digital ‘traffic data’ in the hands of average person may be meaningless • but in possession of others with tech. or legal means, could reveal intimate details • Relates to value represented by data and • Relationship of subject to third party

  31. What is ‘traffic data’? • What does ‘traffic data’ actually represent? • No international consensus on def’n • Often analogized to ‘info on outside of envelope’ • accurate in the analog environment, it is highly problematic in the digital environment

  32. Figure 1: Traffic data on a plain old telephone system (POTS) 20021021070824178 165 0187611205 6139574222 ----------001------003sth 46 5145281768-----0013 1410260 Date & Time Caller No. Duration Recipient No.

  33. Figure 2: Traffic data from two callers on a wireless network time GMT=20010810010852 Cell ID=115 MAC ID=00:02:2D:20:47:24 (A) time GMT=20010810010852 Cell ID=115 MAC ID=00:02:2D:04:29:30 (B) time GMT=20010810011254 Cell ID=129 MAC ID=00:02:2D:1F:53:C0 time GMT=20010810011254 Cell ID=129 MAC ID=00:02:2D:04:29:30 (B) time GMT=20010810011254 Cell ID=129 MAC ID=00:02:2D:20:47:24 (A) time GMT=20010810011256 Cell ID=41 MAC ID=00:02:2D:0A:5C:D0 Date & Time Location at 1:08:52 AM (Dorval Airport) Cell Location Location at 1:12:54 AM (Hilton Hotel)

  34. Figure 3a: Traffic data from a user connecting to a web server 295.47.63.8 - - [05/Mar/2002:15:19:34 +0000] "GET/cgi-bin/htsearch?config =htdigx&words=startrek HTTP/1.0"20 2225 295.47.63.8 - - [05/Mar/2002:15:19:44 +0000] "GET/cgi-bin/htsearch?config =htdig&words=startrek+avi HTTP/1.0"200x 192.77.63.8 - - [05/Mar/2002:15:20:35 +0000] "GET/cgi-bin/htsearch?config =htdig&words=conflict+war HTTP/1.0"200 211.164.33.3 - - [05/Mar/2002:15:21:32 +0000] "GET/cgi-bin/htsearch?confi g=htdigx&words=STD+clinic+Kingston… Search query Date & Time IP Address

  35. ‘Traffic data’ in the LA “telecommunications associated data” to mean “any data, including data pertaining to the telecommunications functions of dialing, routing, addressing or signaling that identifies, or purports to identify, the origin, the direction, the time, the duration or size as appropriate, the destination or termination of a telecommunication transmission generated or received by means of the telecommunications facility owned or operated by a service provider.”

  36. ‘Traffic data’ in the Convention “traffic data” means “any computer data relating to a communication by means of a computer system, generated by a computer system that formed a part in the chain of communication, indicating the communication’s origin, destination, route, time, date, size, duration, or type of underlying service.”

  37. ‘Traffic data’ in U.K. RIPA • relatively narrower definition • includes subscriber and routing information and 'post-cut-through' data, or digits dialed after a call has been connected (i.e. your bank password if you use telephone banking services), but in relation to Internet communications, would incl. server but not a website or page."

  38. ‘Traffic data’ in EU Dir. Privacy & Electronic Communications • latitude, longitude and altitude of the sender's or recipient's terminal, direction of travel, identification of the network cell in which the terminal equipment is located at a certain point in time, any naming, numbering or addressing information, volume of a communication, network on which the communication originates or terminates, and the beginning, end or duration of a connection.

  39. ‘Traffic data’ in CALEA • CALEA uses narrower "call-identifying information", which means "dialing or signaling information that identifies the origin, direction, destination, or termination • excludes entities engaged in providing information services (i.e. ISPs)

  40. But along came PATRIOT… • allows ISPs to voluntarily disclose "non-content" information to non-government entities for any purpose and to law enforcement in more limited circumstances. • expands info available with only admin. subpoena

  41. ‘Traffic data’ should attract R.E.P. • 3 reasons • Persistence, pervasiveness, permanence changes the nature of the info. • Structural characteristics of the interface(s) affect our understanding and behaviour • Tech. inverts proximity of p.i. to subject to extent that invasions rarely take place w/o complicity of third parties

  42. 3 P’s • Persistence, pervasiveness, permanence changes the nature of the info.

  43. Law & Code • laws that permit electronic surveillance typically incorporate authority and oversight • rarely does surveillance technology contain more than the first • no guarantee that authority will be used lawfully • a misunderstanding of tech. nuances can translate lawful uses of surveillance into immoral if not unconstitutional ones

  44. Interface ignorance • Structural characteristics of the Net fool us • Most of us have no idea what goes on ‘behind the screen’

  45. United States v. Maxwell, [1995] 42 M.J. 568, 576 - subscriber had an expectation of privacy in his email because only he could access his password-protected account and there was little risk that any messages he sent would be retrieved or read by anyone other than the intended recipients for the same reason

  46. Trust is a difficult thing to judge online and we frequently do it blindly. • Do we enjoy more privacy in visiting Playboy.com from a laptop in the physical solitude of our living rooms than if we were to pick up the magazine in the local corner store?

  47. Techno-illiteracy/opacity encourages false assumptions • Ignorance of the law is no excuse, but is ignorance of code? • If our actions remain unmitigated, should we suffer less privacy?

  48. In re Pharmatrak • Identical fact pattern to Doubleclick and Avenue A cases, but did not have permission to collect p.i. • Accidental collection through, GET method data on Detrol.com • GET data would be considered ‘traffic’ under LA, but was not by Pharmatrak ct.

More Related