1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

US Officially Blames Russia For DNC Hack

The United States (US) Department of Homeland Security (DHS) and Office of the Director of National Intelligence (ODNI) issued a joint statement on Friday, October 7, 2016, publicly stating for the first time that the US Intelligence Community is “confident” that the “Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations.”

DNC Attack Background

Last April, after the DNC discovered malware on its computer systems, it hired third party cybersecurity firm CrowdStrike to investigate the breach.  After completing its investigation, CrowdStrike issued a report in June 2016 linking the attacks to two groups associated with Russia:

  • “Cozy Bear,” a group suspected of previously attacking networks at the White House, State Department and Joint Chiefs of Staff; and
  • “Fancy Bear,” a group suspected to have targeted public and private entities for decades.

CrowdStrike linked the attacks of Cozy Bear and Fancy Bear to Russia because their programming code sometimes matched the code used in earlier hacks by Russia, and their behavior matched that of Russia’s in its historic efforts to increase Russian sphere of influence in Eastern Europe.  Thousands of stolen e-mails from the DNC were subsequently published on a source called DC Leaks, which ThreatConnect, a separate cybersecurity firm, has linked to Fancy Bear.

A day after the report, someone calling themselves Guccifer 2.0 claimed responsibility for the hack in a blog post.

Joint Statement Blames Russia For DNC Hack

In Friday’s joint statement, the DHS and ODNI stated for the first time that the “recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks and by the Guiccer 2.0 online persona are consistent with the methods and motivations of Russia-directed efforts.”  The agencies found that the “thefts and disclosures are intended to interfere with the US election process[,]” which is activity that is not “new to Moscow – the Russians have used similar tactics and techniques across Europe and Eurasia, for example, to influence public opinion there.”  Based on the “scope and sensitivity” of such efforts, the agencies concluded that only “Russia’s senior-most officials could have authorized these activities.”

No Conclusion On Voting Machine Hacks

The joint statement stopped short of attributing the recent state election data system breaches to Russia.  These breaches, which have seen at least Illinois and Arizona experience scanning and probing of their election systems, have been tied back to servers operated by a Russian company.  The FBI is currently investigating this claim, but the DHS and ODNI said the US Intelligence Community is not “now in a position to attribute this activity to the Russian Government.”

The joint statement came on the same day as a ceasefire in Syria fell apart and the US accused Russia of war crimes in Aleppo.   A copy of the joint report can be found here.

US Officially Blames Russia For DNC Hack

Canada’s Proposed Secure Air Travel Act

This is the second in a series of posts on Bill C-51, known as Canada’s Anti-terrorism Act, 2015. In my last post, I examined Part 1 of the Act, which would, if passed, enact the Security of Canada Information Sharing Act. That Act would facilitate inter-agency and inter-departmental sharing of information for the purpose of assisting agencies and departments with their responsibilities in connection with combatting activities that undermine the security of Canada. This post examines Part 2 of Bill C-51, which would enact the Secure Air Travel Act. This legislation would amend Canada’s approach to its “do-not-fly” list under what is known as the “Passenger Protect Program”.

The safety of airline passengers, crew members and others involved in air transportation is a serious matter. The prevention of terrorist acts on airplanes and using airplanes is matter of grave national and international importance. Preventing individuals from using commercial airline services to travel to participate in or promote terrorism is arguably at least as important as attempting to prevent the use of the financial system to fund terrorist activities. Overall, the enactment of the Secure Air Travel Act would create greater transparency for the operation of the Passenger Protect Program and more clearly define the rights of persons who are denied transportation. However, there are a number of features that are likely to be troubling to civil liberties advocates. In particular, the lowered threshold and expanded grounds for being placed on the “Specified Persons List” which functions as Canada’s “do-not-fly” list are likely to be of concern given the potential sharing of information with foreign governments. It is expected that advocacy groups may be concerned that this information sharing, combined with lower thresholds and expanded grounds, could increase the risk of the detention of Canadians abroad merely on “suspicion” of knowingly contributing to terrorist activities.

Current Passenger Protect Program

Canada’s current “do-not-fly” list, known as the “Specified Persons List,” is administered as part of the Passenger Protect Program created under the authority of the Aeronautics Act. Under s. 4.76 of the Aeronautics Act, the Minister of Transport may make emergency directions to airlines if “there is an immediate threat to aviation security […] the safety of the public, passengers or crew members” (among other things).  To facilitate air transportation safety, section 4.81 of the Aeronautics Act requires air carriers and operators of aviation reservation systems to provide information relating to air passengers to the Government. In addition, airlines must screen passengers against the Specified Persons List.

Lowering the Test for Placement on the Do-Not-Fly List

The Government proposes to lower the threshold and expand the grounds on which a person may be listed as a “specified person” under the Passenger Protect Program.

Under proposed s. 8(1), the Minister of Public Safety and Emergency Preparedness would only require “reasonable grounds to suspect” that the person “will engage or attempt to engage” in an act that would threaten transportation security (s. 8(1)(a)). This is a lower threshold than the current threshold of an “immediate threat”.

In addition, the Minister could place a person on a list if there is “reasonable grounds to suspect” that the person will travel by air for the purpose of conducting one of the following activities whether inside or outside of Canada (s. 8(1)(b)):

  • Knowingly participating in or contributing (directly or indirectly) to any activity for the purpose of enhancing the ability of a terrorist group to facilitate or carry out a terrorist activity;
  • Facilitating a terrorist activity; or
  • Committing a terrorist activity.

These expanded grounds are meant to address the perceived problem of persons travelling from Canada to participate in terrorist activities abroad.

Collection of Information

The collection of information from airlines and operators of airline reservations systems remains largely unchanged. The Secure Air Travel Act requires that any person or entity that operates a commercial air service or a system that provides the capability to make reservations or issue tickets for air services must provide information that is in their control concerning persons who are on board or expected to be on board an aircraft for any flight. The information that is collected continues to be the 34 data points relating to the passenger, the passenger’s reservation and flight listed in the Aeronautics Act. These data points include the passenger’s name, gender, citizenship, passport number, and contact information. That data also includes seating preferences, level of service on the airline, luggage tag information, and selected seat assignments. This information must be provided in accordance with the Act and regulations made under the Act. The regulations are broad enough that the Minister might be able to have direct access to the airline and air reservation systems.

Sharing Information with Canadian Agencies

The Secure Air Travel Act permits the Minister of Public Safety and Emergency Preparedness to share information with other departments and agencies (s. 11) and also permits those other departments and agencies to collect and share information relating to the administration and enforcement of the Act (s. 10). The RCMP, CSIS, the Minister of Transport, the Minister of Citizenship and immigration, and the Canada Border Services Agency are all expressly permitted to collect and disclose information to the Minister of Public Safety and Emergency Preparedness and each other.

Sharing Information with Foreign States

Section 12 of the Secure Air Travel Act provides the Minister of Public Safety and Emergency Preparedness with the power to share information with foreign states, foreign governmental institutions or international organizations for the purposes of transportation security or the prevention of travel by air to commit one of the activities listed in s. 8(1)(b) of the Act – that is, travelling to participate in, facilitate or commit a terrorist activity in Canada or abroad.

Safeguards

The Government has included a number of safeguards in the Secure Air Travel Act. These include:

  • The Minister of Transport must destroy information received from air carriers or operators of reservation systems within 7 days of the receipt of the information “unless it is reasonably required for the purposes of this Act” (s. 18(2)).
  • The Specified Persons List may only be disclosed to a foreign state, foreign governmental institution or international organizations if the Minister of Public Safety and Emergency Preparedness has entered into a written arrangement with respect to the information sharing.
  • The Specified Persons List must be refreshed by the Minister every 90 days to determine whether the grounds for which each person’s name was added continue to exist (s. 8(2)).
  • Individuals have the right to apply to the Minister within 60 days on which they are denied air travel to have their name removed from the Specified Persons List (s. 15(1)). The 60-day period can be extended by the Minister if “there are exceptional circumstances that warrant” an extension.
  • Individuals have the right to make representations with respect to an application to be removed from the Specified Persons List (s. 15(3)).
  • If the Minister does not make a decision within 90 days, the Minister is deemed to have denied the application (s. 15(6)).
  • Once the Minster gives notice of a decision with respect to the application or the 90-day period has expired, the individual has 60 days to appeal to a Federal Court judge (s. 16(2)). The court can extend the 60-day appeal period.
  • The court must review whether the “decision is reasonable on the basis of the information available to the judge” (s. 16(5)). Although the judge must withhold from the appellant information that could be injurious to national security or endanger the safety of any person, the court has broad powers to ensure that the appellant has enough information to understand the case against him or her (s. 16(6)).

Potential Issues to Watch

There are a number of issues to watch as debate over the Secure Air Travel Act evolves. Among the potential areas that may be subjected to criticism are:

  • The time period for automatic review has been lengthened from 30 to 90 days. Furthermore, there does not appear to be any immediate consequence for the Government’s failure to conduct this review in a timely manner, since the review “does not affect the validity of the list” (s. 8(2)).
  • The Minister appears to be permitted to disclose information beyond the Specified Persons List with foreign states. However, the scope of this information is undefined.
  • The 7-day destruction period by the Minister of Transport does not cover information that has been shared with other departments, agencies or foreign governments.
  • There does not appear to be any positive obligation on the Government to correct information provided to foreign states, including, for example, successful appeals by individuals appearing on the Specified Persons List.
  • The court may make decisions with respect to appeals of being placed on the Specified Persons List on information and evidence not provided to the appellant.
Canada’s Proposed Secure Air Travel Act

European Court of Justice declares Data Retention Directive invalid

The Data Retention Directive requires public electronic communications providers to retain certain communications data (essentially traffic data) to help in the fight against serious crime.  It applies to telcos and ISPs and came into force in 2006 after a number of terrorist attacks in mainland Europe added impetus to efforts to harmonise EU member state laws.  However, in  a ruling published yesterday, the ECJ has concluded that the Directive “interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data” and declared it invalid.

How has this come about?

This is not the first time that the Directive has come under scrutiny.  The European Commission looked at the Directive in 2011 and had a number of criticisms (particularly as to the balance between the privacy of individuals and security).

In this latest development, the ECJ was asked to consider whether the Directive complied with the EU Charter of Fundamental Rights which sets out individuals’ rights to a private life and the protection of personal data.  The request came from the Irish and Austrian national courts which have before them a number of actions disputing the validity of corresponding national measures (as the Directive was implemented in EU member states through national laws).

What were the Court’s concerns?

The ECJ is of the view that, whilst the content of communications is not retained, the data that is retained could reveal potentially precise information about individuals’ private lives, and that the use of their data (when they have not been informed of that use) is “likely to generate in the persons concerned a feeling that their private lives are subject to constant surveillance“.

Therefore, the ECJ concluded that, although, data retention is appropriate in the fight against serious crime, the Directive is disproportionate.  The ECJ was particularly concerned at:

  1. The generality of the Directive – it covers all individuals and electronic communications without exception
  2. The lack of objective criteria for, and procedures regulating, access to and use of the data,
  3. The minimum data retention period of 6 months not taking into account the type of data or its usefulness
  4. Data retention being permitted for up to 2 years when there are no objective criteria to determine what data retention period is necessary in the circumstances
  5. The insufficient safeguards against possible abuse,  and unlawful access or use, of data
  6. The absence of a requirement to keep the data in the EU so that compliance with the rules can be ensured.

So what does this mean?

Well, in view of the continuing Snowden revelations and increased focus on protecting personal information, we can be sure that this will add fuel to the fire of the on-going surveillance v privacy debate.  It would also seem to suggest that surveillance for security purposes will have to move in the direction of more targeted action and stringent controls to be acceptable. So we expect big changes in the practical steps telcos and ISPs are required to take to retain communications data and make it available to law enforcement agencies.

However, in the short term, the ruling is likely to have little practical effect.  The ECJ has suspended the effect of the ruling until measures to remedy the invalidity are adopted, which, as the new Data Protection Regulation shows, could take some time!  So, things are likely to continue as they are for now.  In the meantime, the British Government and European Commission have both already said that they are assessing the impact of the ruling. Telcos and ISPs hang fire for now.

European Court of Justice declares Data Retention Directive invalid

Allowing Ontario’s Privacy Tort to Develop in the Health Information Sphere — for Now

In the 1980’s the Supreme Court of Canada pre-emptively ended the development of a common law tort of discrimination. The case, Seneca College v. Bhadauria, stands out as one of the lost opportunities in the development of the common law in Canada. The battle lines have re-emerged in the context of the development of Ontario’s new privacy tort – intrusion upon seclusion. How it will play out is yet to be seen.

Bhadauria

Although the cases involving the tort of intrusion upon seclusion do not mention Bhadauria — that case casts a long shadow and is essential reading to understand what is currently at stake for those who seek to advance a common law privacy tort.

In Bhadauria, the plaintiff complained that she had been repeatedly discriminated by the defendant college on the basis of her ethnic origin. She had applied for 10 positions on the teaching staff of the college and had never been granted an interview. Bertha Wilson J.A., writing for a unanimous bench of the Court of Appeal, recognized a new common law tort of discrimination and concluded that the Human Rights Code did not impede or exclude the development of the common law in this area in Ontario.

The college appealed the decision in Bhadauria to the Supreme Court of Canada with leave of that court. Chief Justice Laskin, writing for the court, concluded that the Human Rights Code was comprehensive legislation providing for a complaint procedure, a board of inquiry and judicial scrutiny. Laskin C.J. concluded that the Human Rights Code had – for better or worse – overtaken the development of the common law and foreclosed any development of the tort based on the anti-discrimination policy underlying the Human Rights Code. There ended the development of the tort of discrimination. Although the Supreme Court was asked to reverse its decision in 2008 in Honda Canada Inc. v. Keays, it did not do so.

Intrusion Upon Seclusion

Fast forward to 2012 and Ontario’s Court of Appeal recognized the tort of intrusion upon seclusion in Jones v. Tsige. In that case the defendant, an employee of the bank, had repeatedly accessed the banking information of the plaintiff who was in a relationship with the defendant’s former husband. The court recognized a new privacy tort and awarded damages for the intrusive behaviour of the defendant.

An open question was whether and how this new tort would fare in the context of Canada’s federal and provincial privacy legislation. The Ontario Court of Appeal made no mention of Bhadauria and the fateful attempt to establish a new tort in that case, although the issue appears to have been on Sharpe J.A.’s mind in his reasons. The defendant argued that privacy was already subject to provincial and federal legislation. However, the court concluded with brief reasons that “it would take a strained interpretation to infer from these statutes a legislative intent to supplant or halt the development of the common law in this area” (para. 49).

The court distinguished the federal Personal Information Protection and Electronic Documents Act (PIPEDA) on the basis that it applied to “organizations” and not an individual tortfeasor. The plaintiff’s recourse would have been to make a complaint against her own employer rather than the culpable person. Moreover, PIPEDA did not speak to the existence of a civil cause of action in Ontario. The Ontario Freedom of Information and Protection of Privacy Act addressed the practices of governments and public institutions and was not applicable.

Personal Health Information – Another Frontier

However, whether the tort could apply in other contexts was not entirely put to rest. There remained an open question whether the tort could apply in respect of conduct or events that might be the subject of a complaint under Ontario’s Personal Health Information Protection Act (“PHIPA”). This issue arose last month in the case of Hopkins v. Kay. The case involved the alleged the improper access of personal health records of 280 patients of a hospital without consent of the patients.

The hospital brought a motion to strike the claim based on the new tort on the basis that PHIPA covered the field. The hospital might have had the better argument based on Bhadauria. Complaints could be made to the Information and Privacy Commissioner of Ontario who has broad administrative and enforcement powers under PHIPA. Once the Commissioner made an order that had become final, a person affected by the order could commence a proceeding in the Superior Court of Justice for damages for actual harm that the person suffered as a result of a contravention of PHIPA. Damages are limited to $10,000 for mental anguish and there is an immunity provision to protect health information custodians and their agents from any action that seeks damages for acts or omission that have been made in good faith and that are reasonable in the circumstances.

Nevertheless, the motions judge refused to strike out the pleading finding that it was not so plaint and obvious that the claim was doomed to fail on the basis that PHIPA covered the field. The motions judge held “[i]f the position of the Hospital is to be sustained, it will require a decision of the Court of Appeal, which […] determines that there is no claim for breach of privacy and that the claim must rest on the provisions of PHIPA.”

The battle is clearly not over.

, ,

Allowing Ontario’s Privacy Tort to Develop in the Health Information Sphere — for Now

Supreme Court of Canada to Police: Get a Warrant to Search Computers and Mobile Phones

Yesterday, the Supreme Court of Canada issued a unanimous decision in R. v. Vu recognizing important privacy interests in information stored in a computer or mobile phone. The court held that specific, prior judicial authorization is required to search the contents of those devices when executing a search warrant for a premises. Building on prior jurisprudence, the court held that “[it] is difficult to imagine a more intrusive invasion of privacy than the search of a personal or home computer.” The court extended that proposition to smart phones. Writing for the court, Justice Cromwell held:

“I do not distinguish, for the purposes of prior authorization, the computers from the cellular telephone in issue here. Although historically cellular phones were far more restricted than computers in terms of the amount and kind of information that they could store, present day phones have capacities that are, for our purposes, equivalent to those of computers.”

Result – Get a Warrant

The law of search and seizure is complex and the assistance of a qualified lawyer should be sought regarding any particular set of circumstances. As a general rule, it appears that going forward, a computer and mobile phone will not be treated as a filing cabinet or other receptacles that could be searched incident to the search and seizure of a premises. This means that if police intend to search computers or mobile phones, they must satisfy the authorizing justice that there are reasonable grounds to believe that any computers or mobile phones at the premises to be searched will contain information that is relevant information. If they do not have prior authorization, the police may seize the computer or mobile phone but must seek authorization before searching them.

The court did not, however, modify the law regarding the search of a computer or mobile phone incident to arrest or in exigent circumstances. The decision was specifically limited to warrants to search a place.

What happened?

The issue arose in the context of an investigation of an investigation into electricity that was observed being diverted from one premises to another. The police filed an information to obtain a search warrant indicating the police intended to seize any evidence supporting a charge of theft of electricity contrary to s. 326(1)(a) of the Criminal Code. This included records and documentation relating to occupancy and control over the property and electrical services. A Justice of the Peace issued a search warrant.

When the police executed the search, they found marijuana growing in the basement. They found two computers and a mobile phone. The police appear to have proceeded on the basis of the general principle that authorization to search a place includes authorization to search places and receptacles within that place. Apparently, neither of the computers was password protected at the time of the search. One of the computers was connected to a security system. By reviewing the images, the police were able to identify a car that was then determined to be registered to the appellant. The second computer was running an online chat. The user was still logged in. The appellant was also logged into a social networking account. The police officer reviewed the accounts and also searched for photographs and files. He also obtained the serial number of a modem and used that to obtain subscriber information from the Internet service provider. The computers, a portable computer storage device, and a mobile phone were sized and made subject to a 90-day detention order.

A Computer is Not just another Receptacle

The court held that specific, prior judicial authorization was required. A computer (or mobile phone) compromises the ability of the user to control information about his or herself. The following features make computers fundamentally different from physical receptacles found at a premises.

  • Computers store vast amounts of information, which can be expected to touch the “biographical core of personal information”.
  • Computers contain information that is automatically generated, often unbeknownst to the user.
  • A computer file and other data will remain on a computer even after the user may believe the file has been deleted.
  • A computer may permit the search of items that are not “physically present” at the premises if the computer is connected to the Internet, thereby permitting a search that is of an ambit far greater than the traditional search of a premises.

Although the court did not find that a search warrant must contain a protocol for the search (identifying the manner of search or specific files that could be searched), the court held that the issuing justice would have the discretion to impose conditions including a two-stage approach, authorizing the seizure and then requiring the police to return to seek authorization for the search.

It should be that, in the result, the evidence was not excluded in this case, notwithstanding that the search violated the appellant’s right to be free from unreasonable search and seizure. The infringing conduct was not egregious and the law was unsettled.

, , ,

Supreme Court of Canada to Police: Get a Warrant to Search Computers and Mobile Phones