Chapter 3: Lawful Access Challenges
Special Report on the Lawful Access to Communications by Security and Intelligence Organizations

63. According to CSIS, the biggest impediment to fulfilling its mandate “in terms of its ability to detect and mitigate threats is the rapid technological change that is outpacing our authorities and our tools.” ^{Footnote 109} Both CSIS and the RCMP state that traditional interception techniques used to collect communications have become less useful as encryption has become more widespread, helping threat actors avoid discovery, investigation and prosecution ***. ^{Footnote 110} CSIS and the RCMP state that these technologies have challenged investigations linked to terrorism, espionage, foreign interference, and organized crime. ^{Footnote 111}

64. Neither CSIS nor the RCMP systematically collect data on how many national security investigations encountered encryption. One exception is an older RCMP study about the technological challenges to obtaining judicially authorized digital evidence in 57 major Federal Policing investigations active in 2014, of which 25 were national security investigations. All investigations encountered technological challenges to acquiring judicially authorized evidence. However, none were shut down as a result. *** ^{Footnote 112} The RCMP has not completed further studies of this kind since then. In an appearance before the Committee, CSIS noted the difficulty of quantifying successes and failures in overcoming encryption challenges, while Public Safety advised that security organizations are “really good at finding workarounds.” ^{Footnote 113}

65. CSIS also states that while new technologies and new types of data present opportunities for collecting intelligence, the challenges outweigh the benefits as there are too many apps and types of devices to keep up. ^{Footnote 114} ***. ^{Footnote 115}

66. As national security targets opt for end-to-end encryption applications and virtual private networks to conceal their activities, the RCMP and CSIS told the Committee that ***, and that this difficulty is compounded by recent judicial decisions. ^{Footnote 125} CSIS and the RCMP rely on BSI to determine who is behind a digital identifier (i.e., an IP address) in order to investigate possible threats. As noted in Chapter 2, after the Supreme Court’s 2014 decision in Spencer that security agencies required judicial authorization to seek BSI, CSIS and the RCMP need to take additional steps to access what they considered to be building block information required for the early stage of an investigation. According to CSIS, the requirement for judicial authorization for this kind of information results in delays and significant effort for CSIS to investigate a potential threat, particularly as it is seeking to rule individuals out to enable investigators to focus on the right threat actors. Canada’s Five Eyes partners do not require judicial authorization to obtain BSI. ^{Footnote 126}

67. The RCMP claims that it is also challenged to make the most of the metadata it has seized, noting that the huge volume of data associated with metadata, most of which is not relevant, can overwhelm investigators. ^{Footnote 127} Additionally, there is no legal requirement for CSPs to retain certain metadata for a set period of time. ^{Footnote 128} Consequently, while the RCMP or CSIS could seek a preservation order to compel a provider to preserve specified data, investigators may find that the provider has already deleted the data before receiving the order due to the provider’s own data management policies. According to the RCMP, the absence of a data retention regime has significant implications given some complex investigations run for years, while other investigations may start years after the data was initially created. ^{Footnote 129}

68. Privacy advocates maintain that metadata represents a source of valuable, often unencrypted information for investigators that may have been underutilized. ^{Footnote 134} According to the Citizen Lab, CSIS and RCMP are not “going dark,” rather they are experiencing “investigative friction,” a situation in which increased “expertise, cost, or ingenuity” is required in the investigation of threats to national security. ^{Footnote 135} Privacy advocates also point out that large pools of potentially revealing personal data are now harvested by private sector organizations as part of general “commercial surveillance,” ^{Footnote 136} offering an opportunity for security and intelligence agencies to collect information. They argue that “[f]ar from ‘going dark,’ more information is available about individuals’ private lives today than in any other moment in human history.” ^{Footnote 137}

69. CSIS counters that it is unable to access or collect this data given Canada’s current technological and legislative limits. The commercial entities collecting this data are primarily located outside of Canada (jurisdictional barriers are discussed later in this chapter). ^{Footnote 138} CSIS also notes that information available to anyone else on the Internet, such as IP addresses, cannot be collected by the state without judicial authorization due to Supreme Court decisions in Spencer and Bykovets. ^{Footnote 139}

70. Privacy experts also state that security agencies overstate their constraints:

[D]igital storage is so cheap today that any data collected for any investigative purpose can be retained indefinitely from a cost perspective. Moreover, digital tools such as voice recognition, machine translation, and analytics powered by artificial intelligence provide government agencies with automated tools to sift through reams of intercepted digital data, and identify items of interest that require further analysis by their personnel. ^{Footnote 140}

71. CSIS counters that the reality is more complicated, noting that it has strict restrictions in its warrants detailing retention periods for data collected (i.e., CSIS is unable to indefinitely retain data) and requirements for data to be reviewed by designated CSIS employees (i.e., not via an automated program). ^{Footnote 141}

72. In reflecting on the origin of the 2011 argument that governments were enjoying a “golden age of surveillance,” CSIS notes that at the time, Internet-based communications were more vulnerable than traditional phone calls, unless encryption was used and, that even then, law enforcement reported the ability to retrieve readable communications in the relatively few times it faced this challenge. ^{Footnote 142} CSIS states that this situation has shifted significantly with the majority of Internet traffic now being encrypted by default ***. ^{Footnote 143}