Lawful Access - Consultation Document
Several amendments to the Criminal Code have been proposed to deal with the interception and search-and-seizure provisions noted above, and to permit Canada to ratify the Council of Europe Convention on Cyber-Crime.
A production order requires the custodian of documents to deliver or make available the documents to persons such as law enforcement officials within a specified period. Production orders already exist in some federal laws, such as the Competition Act. However, except for a very narrow type of production/collection orders, there are currently no production orders provided for in the Criminal Code.
In order to give law enforcement agencies appropriate procedural powers to deal with new technologies, three legislative proposals are under consideration:
create a general production order;
create a specific production order for traffic data;
create a specific production order for subscriber and/or service provider information.
If either a specific or a general production order is created, it is essential to recognize and maintain rights protected by the Canadian Charter of Rights and Freedoms, such as protection to individuals against self-incrimination.
In some cases of searches against third parties, such as corporations or banks, law enforcement agencies obtain judicial search warrants but do not actually conduct the searches themselves. For practical reasons, the third-party custodian of the documents is often in a better position to produce the documents. However, it can take some time for that third party to find and produce the documents for law enforcement agencies.
One way of solving this problem could be to create a general production order requiring the custodian to deliver or make available the documents to law enforcement officials within a certain period of time. A production order could be issued in circumstances similar to those under which a search warrant is issued. Executing such an order might be considered less intrusive than a search warrant as there would be no entry into and search by law enforcement agencies of the premises of the third party. Such production orders could also allow law enforcement officials to obtain documents in cases where a search warrant cannot be delivered because the documents are stored in a foreign country.
Issues to be considered
should the Criminal Code be amended to allow law enforcement officials to obtain production orders in specific cases?
should the Criminal Code allow for anticipatory orders (e.g., permit law enforcement agencies to monitor transactions for a specified period of time)?
what kind of procedural safeguards should be included?
The Criminal Code generally provides that law enforcement agencies cannot obtain documents or information without having reasonable grounds to believe that an offence has been or will be committed. This requirement is a safeguard that balances the state's need to obtain evidence of a crime with the privacy interests of a person holding information. This requirement is particularly appropriate where there is a high expectation of privacy, such as in regard to the content of a private document. However, the Criminal Code also provides for production/collection orders under a lower standard in a very limited number of cases, such as income tax information for specific offences, tracking devices and dial number recorders (devices that record incoming and outgoing telephone numbers), at an earlier stage of the investigation. Except in these very limited cases, the current safeguard prevents important information from being gathered at an early investigation stage, even if there is a low expectation of privacy in relation to the information being sought.
- Telecommunications Associated Data
- means any data, including data pertaining to the telecommunications functions of dialling, routing, addressing or signalling, that identifies, or purports to identify, the origin, the direction, the time, the duration or size as appropriate, the destination or termination of a telecommunication transmission generated or received by means of the telecommunications facility owned or operated by a service provider.
A specific production order could be created under a lower standard in order to allow for the production of telecommunications associated data, that extends beyond the telephone numbers already covered by section 492.2 of the Criminal Code, historic traffic data or real-time collection of traffic data. Although real-time search of traffic data is already permissible under either section 487.01 or Part VI, the standard for Internet traffic data should be more in line with that required for telephone records and dial number recorders in light of the lower expectation of privacy in a telephone number or Internet address, as opposed to the content of a communication.
A specific production order to be issued under a lower standard could also be created to obtain other data or information in relation to which there is a lower expectation of privacy.
Issues to be considered
- should there be a specific power, parallel to that provided for in the Criminal Code dial number recorders, to allow law enforcement and national security agencies to obtain traffic data?
- how should "traffic data" be defined? Should the definition of traffic data be combined with telephone-related information and addressed in the same Criminal Code provision?
- should other specific production orders be created under a lower standard?
- what kind of procedural safeguards should be included?
Basic customer information such as name, billing address, phone number and name of service provider, has historically been made available by service providers without a prior judicial authorization (such as a search warrant). For instance, the Supreme Court of Canada decision in R. v. Plant, (1993) 3 S.C.R. 281, held that, in the context of information held by a business, a person does not have a reasonable expectation of privacy in personal information that does not tend to reveal intimate details of his or her lifestyle and personal choices. The Personal Information Protection and Electronic Documents Act allows for the disclosure of personal information without the knowledge and consent of the individual to whom it pertains, as long as that disclosure is requested by a government institution that has identified its lawful authority to obtain such information.
In addition, in relation to Customer Name and Address (CNA) information, the Canadian Radio-television and Telecommunications Commission (CRTC) decided that it would not exert its jurisdiction in relation to such information if it was confidential, and is currently considering whether some service providers might conduct reverse searches on non-confidential customer name and address information. Further to recent rulings by the CRTC, information that identifies a local service provider can only be provided if certain specific conditions have been met.
However, if such conditions have not been met or if the custodian of the information is not cooperative, law enforcement agencies have no means to compel the production of information pertaining to the customer or subscriber without some form of court order. A problem does exist in cases where no warrant can be obtained under the Criminal Code (e.g., s. 487) because law enforcement agencies may require the information for non-investigatory purposes (e.g., to locate next-of-kin in emergency situations) or because they are at the early stages of an investigation.
Issues to be considered
- should there be a specific production order in relation to customer name and address and service provider information?
- under what conditions should such information be made available and to whom?
- what is the standard that should be required?
- should this obligation be imposed even if the service provider is not currently collecting this information for its own purposes?
Section 487.02 of the Criminal Code provides that a judge or justice who gives an authorization to intercept a private communication, who issues a search warrant or who makes an order authorizing the use of a dial number recorder may also make an order requiring any person to assist in the execution of these orders. Such assistance orders may only be issued where the person's assistance may reasonably be required to give effect to these orders.
Some law enforcement officials have raised the possibility of including assistance orders in other acts, such as the Competition Act, that already allow for the issuance of search warrants or for the granting of interception authorizations. Some stakeholders have also suggested that any Act allowing for the issuance of assistance orders should spell out what could specifically be required under such orders. In the context of lawful access such clarifications in the law could allow service providers to understand more clearly the extent of their obligations.
Issues to be considered
- should legislation that already allows for the issuance of search warrants or the granting of interception authorizations be amended to include the possibility for a judge or justice to issue an assistance order to give effect to the warrant or authorization?
- should assistance orders more clearly spell out the scope and limits of what a person may be required to do to give effect to the warrant or authorization?
A procedural mechanism in the Council of Europe Convention on Cyber-Crime that does not exist in Canadian law is the concept of a preservation order. A preservation order acts as an expedited judicial order that requires service providers, upon being served with the order, to store and save existing data that is specific to a transaction or client. The order is temporary, remaining in effect only as long as it takes law enforcement agencies to obtain a judicial warrant to seize the data or a production order to deliver the data. For example, a preservation order could require an Internet service provider (ISP) not to delete specific existing information relating to a specific subscriber. It is meant as a stopgap measure to ensure that information vital to a particular investigation is not deleted before law enforcement officials can obtain a search warrant or production order.
Consideration also needs to be given to exigent circumstances, situations in which it could be argued that law enforcement agencies should be able to impose on a service provider the requirement to preserve data even without a judicial order for a specified period such as four days, if the conditions for obtaining a judicial order exist but it would be impracticable to obtain one. An exigent circumstance provision is already included in the Criminal Code in relation to search warrants and wiretaps.
It should be noted that data preservation is different from data retention. Data preservation, as outlined above, involves serving a judicial order on a service provider to ensure that existing specified information in relation to a particular subscriber is not deleted. Data retention, however, is a general requirement that could compel service providers to collect and retain a range of data concerning all of its subscribers.
Issues to be considered
- should a data-preservation order apply only to stored computer data or should it also apply to paper records?
- under what legal standard should a data-preservation order be granted?
- should standards vary depending on the nature of the data?
- who should be authorized to issue a preservation order?
- what is a reasonable period for a custodian of data to be compelled to preserve data: 90, 120, 180 days?
- should there be a specific penalty for non-compliance with a preservation order, or is contempt of court sufficient?
- for how long should a law enforcement official be able to impose a preservation order on service providers in exigent circumstances?
Under the current provisions of the Criminal Code, only the effects of spreading a computer virus, or an attempt to do so, are criminal acts. In 1985, when the provisions on unauthorized use of computers were enacted, complementary changes were also made to the Criminal Code provisions relating to mischief to ensure that any type of behaviour involving a computer system which amounted to mischief would be criminal acts under Canadian laws.
The Council of Europe Convention on Cyber-Crime requires signatory states to criminalize the creation, sale and possession without right of devices (e.g., computer programs) that are designed or primarily adapted for the purpose of committing offences specified in the Convention, whether or not the virus has been deployed or has caused any form of mischief. Such a distinction is not included in the current wording of the Criminal Code. A minor change in the wording of section 342.2 would be necessary to clarify that the creation, sale and possession of a computer virus program for the purpose of committing a computer offence or mischief is an offence in Canadian law.
Further, in order to ratify the Convention, new offences in relation to illegal devices (such as viruses) would have to be added. These could include importation, procurement for use, and otherwise making available an illegal device as defined in the Convention.
Part VI of the Criminal Code creates an offence for wilfully intercepting a
"private communication", as well as a scheme for obtaining judicial authorization to intercept such communications. (See Appendix 1 for a description of the current interception provisions in the Criminal Code.) The requirements for intercepting a
"private communication" are more onerous than those required to obtain a search warrant to seize documents or records (See Appendix 2). Section 183, in Part VI of the Criminal Code, defines the expression
"private communication" to cover any oralcommunication, or any telecommunication made under circumstances creating a reasonable expectation of privacy. This appears to suggest that, once a communication is put in writing, it can no longer be considered a
"private communication" for the purpose of the interception of communications provisions of the Criminal Code.
In fact, some courts have held that a tape-recorded message, like a written letter, did not fall within the definition of
"private communication" because it was not reasonable for a person sending such a tape (or letter) to expect that it would remain completely private. As it was a permanent record of its contents, it could easily come into the hands of a third party. Following this line of reasoning, one could argue that e-mail communications, as they are in writing, would not come within the
"private communication" definition. Therefore, these written records could be obtained by a search warrant.
However, some cases dealing with e-mails in Canada have taken the position that they are to be considered
"private communications." For example, a judge in Alberta recently held that judicial authorization under Part VI was required to intercept e-mails since there was a reasonable expectation of privacy on the part of those sending and receiving them.
These decisions, along with the definition of
"private communication," create some confusion as to whether an e-mail should be seized or intercepted. The problem stems from how this "store and forward" technology works. It is in fact possible to access an e-mail in various places or at various stages of the communication or delivery process using various techniques. The following stages of the communication or delivery process could probably be qualified as
- during keyboarding on the part of the sender of the message
- during transmission between the sender's computer and the sender's ISP
- during transmission from the sender's ISP to the recipient's ISP
- during transmission between the recipient's ISP and the recipient's computer
- during reception by the recipient of the sender's message
The way e-mail messages are transmitted, the relationship between the transmission and/or reception of the message, and the interplay between the sender and the recipient would appear to be covered by the current definition of the term
"intercept" in the Criminal Code.
Two stages are more problematic:
- while e-mail is stored at the sender's ISP
- while e-mail is stored at the recipient's ISP
The acquisition of e-mails under these circumstances can on occasion be at the same time as the transmission of those e-mails, but it may also be delayed. Additionally, e-mails may be stored for long periods (weeks or months) before they are opened by the recipient. The simultaneous transmission and acquisition of the content of an e-mail could be similar to an
"interception" under Part VI the Criminal Code. However, the acquisition of those contents when they are stored could also be considered a
"seizure" under Part XV of the Criminal Code or, for example, under s.15 or 16 of the Competition Act.
One final situation also raises problems: seizing an opened e-mail at the recipient's ISP.
This stage is similar to the situation where a person, having read a letter, files it into a filing cabinet rather than throwing it into the garbage. Obtaining an e-mail at this stage is more analogous to a seizure than it is to an interception.
The main problem in Canada is that the capture of the contents of an e-mail in transit with a third party or waiting to be delivered could constitute an
"interception" of a
"private communication" under the Criminal Code, regardless of when it took place. Some claim, however, that the acquisition of an e-mail under such circumstances constitutes a
"search and seizure." Questions have been raised as to whether the Criminal Code and other acts such as the Competition Act should be amended to clarify the type of order that should be obtained before e-mail is acquired.
Issues to be considered
- should there be a specific provision in the Criminal Code in relation to how an e-mail should be acquired?
- if such a provision should be included, what kind of procedural safeguards should be imposed?
- should the type of order to be obtained in order to acquire an e-mail vary depending on the stage of the communication or delivery process?
In addition to identified needs similar to other law enforcement agencies, such as proposed amendments relating to data-preservation orders and orders to obtain subscriber and/or service provider information, discussed above, the Competition Bureau is facing significant new technology-related challenges that impact on its capacity to obtain lawful access to evidence of Competition Act offences.
Deceptive marketing practices, telemarketing and other consumer targeted fraud, price fixing and bid-rigging are some of the competition offences that can be facilitated by computer systems and telecommunications. The nature of evidence for these kinds of offences is now increasingly electronic and significant amounts of data can be stored on increasingly smaller devices or media. Additionally, the type of criminals associated with some of these crimes is evolving. In telemarketing, for example, aliases are frequently used and there is a growing link between criminal elements associated with this kind of activity and threats to the security of Canadians.
Investigative powers currently available to the Competition Bureau include production orders, search and seizure, and interception of private communications. In order to continue to be able to legally access the type of evidence needed to fulfill its mandate, it has been proposed that amendments to the Competition Act should be considered, such as:
Access to Hidden Records
This proposal involves the capability of requesting persons found on a search premises to provide any records hidden on their person, including hidden electronic and digital devices or media mentioned in the search warrant, to officers on the premises; and provide for an obstruction provision specific to those failing to comply.
This proposal involves the ability to obtain general warrants and assistance orders to enhance the efficacy of evidence gathering tools.
- Date modified: