Teresa Scassa - Blog

Displaying items by tag: geolocation
Tuesday, 04 April 2017 15:50

Privacy and IMSI Catchers

A major investigative report by Brigitte Bureau of Radio Canada (CBC English language version here) has revealed what has long been suspected – that Canadian police forces are using IMSI Catchers to harvest substantial amounts of telecommunications data with uncertain oversight and no transparency. The issue is one that should trouble all Canadians, reminding us not to become complacent about the health of our free and democratic society.

The cell phones we carry with us are in constant quiet interaction with nearby cellphone towers – ensuring a quick connection when we need one. As part of this process, our phones communicate their unique identifiers to these towers. An IMSI catcher (also known as a Stingray) will simulate a cell phone tower and will encourage all cell phones in the area to communicate with it. As it does so, it harvests and stores these identifiers. In this way, data is collected about phones in the vicinity, which can, of course, be ultimately linked to specific individuals. Although a police force may deploy an IMSI catcher in the context of a specific investigation with a target suspect or suspects in mind, the harvesting of data is indiscriminate and will affect all individuals with cell phones in the vicinity. In cities, this can mean thousands of individuals at a time.

While it would be foolish to dismiss the importance of the role played by law enforcement and national security in our societies, it would be equally foolish to passively accept surveillance without the safeguards of oversight, transparency and accountability. The Criminal Code contains an entire section devoted to the rules that govern how law enforcement officials may carry out investigations, including detailed rules governing warrants for the interception of telecommunications, production orders for data, tracking warrants (including tracking of cell phones), and general warrants. These provisions require police to go before a judge or a justice of the peace to make their case for the surveillance, and to have the boundaries of the search established. This authorization procedure acts as a safeguard to ensure a proper balance between the rights of individuals and the collective interest, and to ensure that surveillance does not become routine, ubiquitous, and unrestrained. Unfortunately, there remain question marks around the application of these provisions to technologies such as IMSI catchers: some question whether a warrant is need at all (see discussion below); others argue that the technology merits a lower threshold for obtaining a warrant. In addition, it should be noted that there is no guarantee that any warrant obtained will specify what must happen to the data that is collected about individuals who are not the target of an investigation. In other words, there are no guarantees that such data will be destroyed once it is found not relevant to the particular investigation for which the warrant was obtained.

It has long been suspected that police forces in Canada have been using IMSI catchers in their investigations. Either because such use was being carried out without warrants, or because the warrants remained sealed from public view, this usage has been invisible to ordinary Canadians. It is also quite possible that much of this activity has taken place with no oversight at all. In fact, police forces have been evasive in responding to questions about IMSI catcher use. What the Radio Canada reports reveal is that IMSI catchers are in fact being used in Canada, and that such use is entirely non-transparent. We should be extremely concerned.

Arguments for obscurity around law enforcement use of IMSI catchers have two main threads. The first is that such devices do not impact privacy and therefore warrant neither transparency nor oversight measures. This is nonsense. The IMSI catchers are used in order to detect the location and movement of specific individuals. Beyond this, they capture a vast amount of data that can be used to detect the location and movement of anyone in the area of the IMSI catcher. This has privacy implications not just for those who are the targets of the police investigation but for all who are caught up in the dragnet. Without transparency and oversight no one will know what data about them has been collected by police, to what uses this data is put, or how long it will be retained. The second thread is the assertion that if police disclose what they are doing, the bad guys will stay one step ahead of them. However, it is fairly clear that those engaged in organized criminal activity are well aware of the existence and potential use of IMSI catchers. Transparency does not have to mean making public announcements that an IMSI catcher is currently in use in a particular location. Arguments that transparency will undermine investigations are spurious and should not be used to justify extensive covert use of surveillance technologies by police that impact on tens of thousands of ordinary citizens.

In August 2016, CIPPIC, the Munk School of Global Affairs and the Telecom Transparency Project issued a report (Gone Opaque? An Analysis of Hypothetical IMSI Catcher Overuse in Canada) on suspected but unconfirmed IMSI catcher use in Canada. The report provides a detailed overview of the technology, and examines how the use of IMSI catchers in other countries – including the United States – has been made more transparent and accountable. It is interesting to note that the growing body of law in the US that regulates IMSI catcher use evolved out of a similar cloud of deliberate evasion and obscurity that was brought to public attention by the activities of investigative journalists.

After reviewing the measures put in place in other jurisdictions to provide a legal framework for the use of IMSI catchers, the authors of Gone Opaque highlighted a number of legal safeguards that should be considered by Canadian policy makers. In the first place, the use of IMSI catchers should be subject to judicial oversight through the warrant provisions of the Criminal Code, and the threshold should be set to require police to demonstrate that they have reasonable and probably grounds to believe that an offence has or will be committed, as opposed to the much lower threshold of a “reasonable suspicion”. There should also be transparency mechanisms in place which can include statistical reporting on the incidence and scope of use, as well as the provision of some form of notification to all individuals who have been subject to IMSI catcher surveillance. Gone Opaque also discusses imposing proportionality measures such as limiting the use of IMSI catchers only to serious crimes or where other investigatory measures are not likely to be effective. There should also be limits placed on the scope of data collection, as well as on the retention and re-use of data – particularly data that is not related to the crime under investigation.

There is reason to be concerned that the covert use of IMSI catchers circumvents the safeguards put in place by Parliament in the Criminal Code. The provisions of the Criminal Code that deal with warrants and production orders in the context of data and telecommunications are far from perfect, but they do attempt to provide some measure of transparency and oversight when it comes to the exercise of state surveillance and tracking powers. To the extent that IMSI catchers are used in order to circumvent the Criminal Code procedures, and under the unjustifiable claim that they do not impact on privacy rights, Canadians should be outraged. Canadians should also demand much more when it comes to transparency and accountability around the warranted use of technologies that capture large quantities of personal information of ordinary individuals engaged in their daily activities.

 

 

Published in Privacy

Is there any such thing as a free app? In Albilia v. Apple inc, Justice Pierre Nollet of the Quebec Superior Court authorized a class action law suit against Apple in relation to the collection of personal information by third party application (app) developers via Apple devices such as the iPhone and the iPad.

The petitioner alleges that Apple encourages and supports the development of third party apps as a means of bolstering the popularity and sales of its devices. He also alleges that Apple permits third party app developers to harvest personal the information of users from their devices without their knowledge or consent. In particular, he alleges that such information may include precise location information, the unique device identifier, the user’s name, gender, age, postal code and time zone, information about activities performed using the app. He also alleges that this ongoing harvesting of personal information uses up the resources of the devices without the permission of the device owners. The class action is similar to two others that have been filed in the United States against Apple.

Although the petitioner initially sought to certify a Canada-wide class of affected persons, the judge limited the class to Quebec residents. He did so because the petitioner had failed to establish that the laws in relation to privacy across Canada were equivalent to those in Quebec. Indeed, although there are some similarities, it is fair to say that both the Civil Code of Quebec and the Quebec Charter of Human Rights and Freedoms offer both different and quite likely more extensive protection for privacy than do the laws in the common law provinces and territories.

Justice Nollet ultimately certified two classes for the law suit. The first consists of:

all residents in Quebec who have purchased or otherwise acquired an iPhone or iPad (“iDevice”) and who have downloaded free Apps from the App Store onto their iDevices since December 1, 2008 through to the present.

A second class relates specifically to concerns about the collection of geolocation information. This class consists of:

all residents in Quebec who have purchased or otherwise acquired an iPhone and turned Location Services off on their iPhones prior to April 27, 2011 and have unwittingly, and without notice or consent transmitted location data to Respondents’ servers.

The questions to be explored in the class action law suit include issues regarding whether the respondent Apple facilitated profiling of individual users or disclosed personal information without users’ consent to third party app developers. Other issues include whether location information could be collected from devices even after the location services functions are turned off by the user. The litigation also involves issues relating to consent by users to information gathering practices by both Apple and app developers. In bringing his motion the petitioner referred to a recent study by Eric Smith that detailed the information collecting practices of iPhone apps.

The collection of personal information from mobile devices – including data about a user’s online activities and detailed location information – raises significant privacy concerns. Many “free” apps may use information gathering as a means of generating a revenue stream; the information gathered may have nothing to do with the functions of the app itself. Users of mobile devices may not be sufficiently aware of the detailed location information that can be collected and shared when the location functions of their device are turned on; alternatively, they may turn these functions on specifically to enable certain useful features of their device without realizing that the same information may also be collected and used by apps whose functions are completely unrelated to their location. As with many other contexts, the user who downloads apps may have little time or attention to allocate to reading the detailed user agreements and privacy policies that may accompany their new apps. While courts may continue to insist that users are bound by these agreements, there is a growing concern that the sheer number, complexity and length of such agreements makes informed consumer consent virtually impossible on a consistent basis.

Class action law suits advance with glacial speed, and it is not likely that the questions raised in this dispute will be answered any time soon. Yet it is important that they be asked both here and in other contexts. The burden of privacy, in particular of protecting one’s personal information from unwanted profiling and surveillance, is becoming increasingly challenging for individuals. Not only is it difficult to grasp the full range of information that is being collected, by whom, and for what purposes, as we engage in perfectly ordinary day-to-day activities, secondary access to this information by third parties, including police and other state authorities is not at all transparent. In addition to greater scrutiny of data collection practices, attention must also be paid to the issue of consent, which is increasingly becoming a fiction in the face of turgid and impenetrable legal texts accompanying every small piece of software in our lives.

Published in Privacy

Canadian Trademark Law

Published in 2015 by Lexis Nexis

Canadian Trademark Law 2d Edition

Buy on LexisNexis

Electronic Commerce and Internet Law in Canada, 2nd Edition

Published in 2012 by CCH Canadian Ltd.

Electronic Commerce and Internet Law in Canada

Buy on CCH Canadian

Intellectual Property for the 21st Century

Intellectual Property Law for the 21st Century:

Interdisciplinary Approaches

Purchase from Irwin Law