 Everyone here okay? Good. So thank you for the invitation back. This is easily my favorite... It might be my favorite conference in Canada. It's always consistently a fantastic time. The speakers yesterday were great. The presentations were amazing. The talk about the ego market alone was worth the trip for sure. So three main questions. These are what I would like to cover today. What new lawful access powers were given to government investigators in 2015 to conduct online investigation specifically? That's the first thing. Second thing was how has the debate around surveillance changed in Canada in the past few years? It's steadily ramped up for a number of reasons. I'll cover that. Then where are these policy issues and this public debate likely to be headed? Not just in the media but within the technical community, within the security establishment, et cetera. So that's what I'm hoping to get through quickly today but I want to leave time to hear questions and get your impressions. So I'm going to go fairly quickly now here once I get started. So first question. What powers do governments have to investigate cyber crime? Let me gauge your comfort level though first because we're going to be talking about a different kind of code today. We're going to be talking about the criminal code, not computer code. So who I'm wondering in this room, just show of hands, has been served with a 487-18 warrant? Anyone had to reply to one? Nobody. Okay, good. I was saying that because you were put under a gag order. No, that was a trick question. You can't actually answer that. Okay, but do you know what assistance orders are? Like under the criminal code. You know, as a company or a compliance officer or an IT person within a company, you are served with a warrant to do a search of data but very often times certain companies in particular, and this has been a big thing in the States, is the companies actually demand to be compelled to provide that assistance. So these are some of the powers that we're going to be going through just very quickly. But in a nutshell, just so everyone is on the same page, how the warrant system, at least in Canada, basically works is the police suspect that evidence of a crime is on, you know, a server or held by a commercial body. So it could be a hotel, it could be an ISP, it could be an internet company, it doesn't matter. Police believe that there is evidence of a crime in the corporate holdings of that organization. So then typically what happens is the police or the government investigator then goes to their superior for an authority to proceed with a warrant application. That superior typically then goes to check with the legal department of the said organization. If everything looks to be in order, the policeman then applies to the court. Court looks at it. Justice will ask questions. If required, it will be tailored as needed or not. Police then present that order once the court has authorized it to the company in question. The company will then check with its legal department. And then if all appears to be in order, usually there's a specialized unit within the company. Compliance staff will be tasked by their legal department to provide the data that the police have requested. Data goes over, investigation proceeds. So that's basically, in a nutshell, how the warrant system works. So what happened in 2015 was three pieces of legislation were passed in Canada. We're going to focus on the lawful access one. But there were two others as well. There was a bill called the C-51 SCISA, which was the Security of Canada Information Sharing Act, which broadened the ability of federal agencies to share information around threats amongst themselves. Now within the definition of security of Canada under that act, digital infrastructure was one of the many examples. So information sharing for the purposes of cybersecurity was one of the new topics, new issues and new files that 17 different security tasked organizations in Ottawa were permitted to share information between them under that law. But that's not the lawful access law. The lawful access law was C-13. The working title was the Protecting Canadians from Online Crime Act. And it put in place a whole series of new powers that the police and other government authorities have been requesting for quite some time because they wanted to catch up with other states who had already signed on to something called the Istanbul Treaty Against Cyber Crime, which is a much older, like 2001 information gathering instrument that the United States, various EU states had signed on. Canada was viewed as a laggard, hadn't brought its criminal code powers up to date, so that is what became the rationale for C-13 besides a whole series of other things that were happening at the time. Okay, so what are the powers? So the first one that the bill enacted, that you hit first as you read through it, are preservation orders. So with a judicial authorization, with a court order, police can order any data stored in Canada to be preserved for up to 90 days. And there's the particular sections, the criminal code are there. For 21 days, so for three weeks, they don't need to go to a court at all. So a policeman at a desk can fill out a single-page form and that form goes over in the way that I described to the compliance staff of any company who will preserve the data for 21 days. If it was routine transmission data or dump logs or anything like that, that normally the company would just get rid of, they can't, they have to keep it. Now the police don't get the data, it's simply preserved. So business transactional data that would otherwise be purged is set aside. And then the idea being that the police would then, within those 21 days, would have time to go to a court and get a warrant in the way that I described. Some of the other powers that were passed were communication tracing, so any anonymous communication, like an anonymous text or email or what have you, the police can add a relatively low threshold. Most of these are at reasonable grounds to suspect, and I'll come back to that distinction between reasonable grounds to suspect and reasonable grounds to believe when we get to the end of this. But so they can do communication tracing on electronic devices. They can order transmission data, so they can get basically, this is sort of like the legal equivalent of a trace route. They can pull down web logs for up to, again, up to two months. They can order location tracking using phone GPS, car GPS, or they can do cellular pings if that's what's required. They can order subscriber, not subscriber, account, basic account information on financial data of any type, so PayPal, any kind of payment service. They can get the names of account holders, what kind of account it is, if it's linked to an email address or a physical address. They can do warrant tracking, sorry, a tracking warrant, either to trace transactions, so where, say, a particular card is being used or a vehicle, or they can, at a slightly higher threshold, order an actual individual tracking device, which is basically a beacon. They do an implant on a phone or actually if they can get it on to a device, they can basically implant just about anything. So again, these are all criminal code powers that really have only been stood up for the last two years. Last part on this section is who gets to use the powers. Previously, peace officers, i.e. policemen, were the primary user of these powers. And so peace officers are the obviously traditional policemen, badge, gun, and basic straight-up law enforcement authority. Usually I should add also accompanying some civilian oversight. The Protecting Canadians from Online Crime Act two years ago changed and broadened the definition of government investigators that could get access to the powers that I've just described and added basically public officers as well. And this is a fairly significant distinction in so much as you are now talking about anyone, well, I put the definition up there. You're basically anyone in government who is responsible for the enforcement or administration of any law. So what that technically means is we're talking no longer about police officers, we're talking about folks like the Competition Bureau, Canada Post, Health Canada, Canadian Revenue Agency. All of these organizations have within them investigative units and all of those various officials are now allowed to use these powers for their investigation. So that's the basic overview of how the law changed in 2015. So how has all of this broken out in the media? Because obviously in the past few years with Snowden, with the NSA stuff, now with the Trump discussion around the Obama wiretapping and what have you, there's been a lot of an enormous amount of debate around surveillance powers, how they're used, who authorizes them, how they're overseen, are they legitimate? So in Canada this really kicked off, I mean it's been quite some time, and we are extremely lucky in Canada in that we have, I mean a whole slew of extremely tech-savvy reporters who truly get what is going on in this domain. I mean Justin Lange, Advice, Colin Fries at the Globe, Matt Bragg at CBC, I could go on, like Alex Petilier, Jordan Pearson. I mean we've got like a dozen extremely good sort of tech privacy reporters who do consistently awesome work. And like the courts I think are generally extremely good at probing not just the rationale for police powers, but how they're actually being used. And this is my first example. So one of the ways that the media debate has been framed is around obligations for transparency. Anybody I've ever looked at a transparency report, like a TSP transparency report, okay awesome. So Google, Facebook, various other big internet companies down in the States started this up after Snowden as a way to kind of like put the brakes on public concern around how much user data was being handed over to governments. But at the same time it wasn't just a public relations move, it was also a very legitimate attempt I think to put more information in the public domain, particularly for the courts who are authorizing this surveillance about the scale of activity that was happening. And so this bled over into Canada. So in 2013 this is the transparency report that to their credit Rogers Communications published. So you can see there, you get a sense of the scale. I mean it's going to come out here. Oh no, you can't really see it super well. But what it says is that, right there. So that's, this is the big number down, that so in a single year Rogers Communications, so one telecom company received 174,000, basically 175,000 requests from law enforcement. Now a good half of those were basically just subscriber data lookups. So who is behind such and such an email? Who is behind such and such an IP address? Now content. But you go to the next number down is, and again it's almost half of the total, is Rogers got 74,000 warrants in a single year. So that's a pretty significant number. And after Rogers published theirs, you got Telus, you got Allstream. A bunch of other Canadian companies started to do the same. And so for the first time, at least in the telecom part of the telecom industry, we started to get a sort of breakdown of how the police were serving these companies with warrants. The next thing that the media has been awesome on, I think is unpacking the implications of the court cases. Because interestingly, as these powers were going through parliament, the courts began to essentially prescribe new rules for police almost as fast as the parliaments were authorizing the powers. Now what I mean by that is, literally as the legislation that I've just described was proceeding through the Senate, the Supreme Court came out with a decision called Spencer, I don't know if everybody's heard of this one, that basically found, at least in the police context, individuals actually have a right not simply to privacy, but they actually have a reasonable right to anonymity online. The police who at the time were conducting an online investigation and who kind of went around the warrant procedures that I described in their investigation simply had not sort of taken the reasonable steps they could have. The Supreme Court found that particularly egregious and found that this was in 2014, found that things like an IP address and an IP address lookup need to be conducted with a warrant. And so the media has been extremely good on not only unpacking the implications of those cases in Canada, but then explaining, I think very rightly, that these aren't simply cases limited to police investigations, but they have broader implications on how, say, customs revenue does its investigations online or CBSA does its investigations at the border. So that's another way that the media have very usefully framed the debate. The third is probably the most obvious theme that's come up is surveillance. And Montreal has actually been sort of the epicenter for this part of the discussion, because, of course, the provincial government has called a commission of inquiry just down the street into how police conducted surveillance of journalists, many who work just down the street, and how those warrants were authorized by the department, the provincial judicial officers who also work just down the street. So it's actually a very tight-knit community. La Presse is there, CBC is there. Those were the two main targets of the surveillance, the Ministry of Justice is right over there. So I think it all happened basically within like six square blocks of here. So there's now a full-on commission of inquiry here in Montreal looking into these issues. There's also been an enormous number of stories in Ottawa about installation of MC catchers around Parliament Hill. So that's another place. There's courts, newsrooms, legislatures. You can generally assume that these are being pretty carefully scrutinized. CBC reported just a couple of weeks ago that they found MC catchers that no one seems to want to take credit for at the Montreal airport. So this is a... Like I said, we have a lot of journalists in Canada who cover this stuff, and increasingly interesting area to watch. So that's part two. Part three, I guess the last part of the talk is where this is all likely to be headed. I think there's two obvious predictions. There's not even really predictions. I mean, you can see probably pretty clearly where the public debate and I think the technological debate is going ahead. I think the first one is that there's going to be a real call for companies to account in a significant and serious way for the data that they are providing to government investigators. And here what I tried to do, I don't know if you can see, is I tried to took the top three companies that are reporting surveillance requests and sort of map them out against one another. Now, you can see since the Spencer case that I described about the right to online anonymity, the number of non-warranted requests that these companies are receiving has dropped fairly significantly. It hasn't completely leveled off. So there are still avenues by which police can go to a company like Attalis or Rogers and get data without a warrant. But they're usually fairly prescribed either. They have some other authority, like it's not a criminal investigation, it's the enforcement of some other law that enables them specifically to seek data like that. And those you typically fall under the government letters that you see listed out there. Or it's an emergency. Someone is in, you know, is likely to be in peril and the police can make a case that the information is too urgent to seek, go through all the steps of a warrant process and they need to be provided it instantly. But the upshot of the fact that we have these companies now reporting it, and this was an issue at the commission of inquiry here in Quebec, because none of the Quebec telcos provide these reports yet. It means that where the companies aren't reporting, there's a real lack of understanding both between the police, the government authorities, and the companies that are authorized, or the courts that are authorizing the surveillance. There's a lack of a feedback loop. And then that I think is going to be a serious problem that very likely the commission of inquiry here in Quebec is probably going to highlight, that there's sort of a corporate responsibility to produce a kind of ledger as to how data is being handed over. That's just one prediction, I would say. But the most urgent, I think, debate is going to swirl around how these laws were passed in the first place. I think to be blunt, the powers were passed at a particular point in time where the parliamentarians themselves were maybe not fully appreciative of the scope and scale of the powers they were passing. The legislation, unfortunately, will not be reviewed for another three or four years, at least not in any kind of like statutory requirement kind of way. But if I was a betting guy, I would say that the new government will very likely take a closer look at the legislation in the short term. Because I think that some of the problems and some of the scandals in Ottawa, in Montreal, at the border where these powers are being used are starting to really cause sort of like a political headache for the government. And I think they're going to get more and more concerned as time goes by. And they're going to want to re-exert their role just like the media and just like the courts have in pushing back at these powers. And that is all that I have, actually. So I want to thank you for listening and I would love to hear how you feel about some of these issues. If anybody has a question or an observation. Thank you.