Canadian Law Enforcement Want Government To Force People To Turn Over Their Passwords
from the the-legislative-$5-wrench dept
Legislators and law enforcement (for the most part…) have been hesitant to demand companies build backdoors into their encryption schemes. The unwillingness to cross this government overreach line hasn't really tempered cursing of the impending darkness, however. That remains, largely propelled by a few of law enforcement's loudest mouths, who haven't seen a problem nerds can't solve, even after the nerds have told them repeatedly the problem (safely backdoored encryption) is unsolvable.
A lobbying group for Canadian law enforcement thinks it has the answer. Why mandate encryption backdoors when you can just utilize the "backdoor" built into every electronic device?
Canada's police chiefs want a new law that would force people to hand over their electronic passwords with a judge's consent.
The Canadian Association of Chiefs of Police has passed a resolution calling for the legal measure to unlock digital evidence, saying criminals increasingly use encryption to hide illicit activities.
The legislated human backdoor. Obviously, such a demand raises constitutional questions, even on that side of the border.
The chiefs' proposed password scheme is "wildly disproportionate," because in the case of a laptop computer it would mean handing over the "key to your whole personal life," said David Christopher, a spokesman for OpenMedia, a group that works to keep the Internet surveillance-free.
"On the face of it, this seems like it's clearly unconstitutional."
On this side of the border, such a mandate would also seem clearly unconstitutional, even though some courts have ruled that providing a passcode to unlock a device isn't testimonial -- even if what's on the unlocked device may prove to be incriminating.
The head of Royal Canadian Mounted Police echoes FBI Director James Comey's lament about (potential) evidence remaining out of reach of investigators. In fact, he pretty much quotes him directly.
There is nothing currently in Canadian law that would compel someone to provide a password to police during an investigation, RCMP Assistant Commissioner Joe Oliver told a news conference Tuesday.
Oliver said criminals -- from child abusers to mobsters -- are operating online in almost complete anonymity with the help of tools that mask identities and messages, a phenomenon police call "going dark."
Mandating the divulging of passwords relies on some very dubious assumptions. One, it assumes that any information still unseen by prosecutors or investigators is of evidentiary value -- hence the perceived need to force suspects to unlock devices. As was seen in the San Bernardino case, a lengthy court battle and a million-dollar payout to Israeli hackers recovered nothing of interest from the shooter's iPhone.
Second, it assumes law enforcement will use this power wisely and with restraint -- something that has historically been a problem for it. When an agency uses repurposed military technology (Stingrays) to (almost) hunt down fast food thieves, it's safe to assume forcing someone to expose their "whole personal life" by turning over a password is likely to result in the same sort of misuse… and abuse. It won't be reserved for the "worst of the worst" criminal suspects and will likely be legislated into existence without enough statutory restrictions to prevent device seizures incident to even the most innocuous of arrests to be viewed as evidentiary fishing expeditions.
The only standing between this law (if it becomes law) will be Canada's judges. While some judges may be unwilling to expose a person's entire life just because law enforcement swears it's necessary, others will be more amenable. Bring on the forum shopping!
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: canada, encryption, going dark, law enforcement, passwords
Reader Comments
Subscribe: RSS
View by: Time | Thread
'You first'
After all it's entirely possible that one or more of those devices/accounts might contain evidence of illegal actions, and if a 'maybe' is good enough for them, it should be good enough to be used against them to demonstrate what it's like to have their privacy stripped from them on nothing more than the whim of another.
They're welcome to refuse of course, in which case they get to enjoy being known from then on as the hypocrites that they are, demanding that their privacy be respected while the privacy of others is blatantly violated.
[ link to this | view in thread ]
[ link to this | view in thread ]
Even with encryption, the meta-data is giving law enforcement and governments much more information than they had pre-Internet.
[ link to this | view in thread ]
No such right exists in Canada: you can be compelled to testify against yourself here.
[ link to this | view in thread ]
Re:
Anyone spending two minutes googling the question "In Canada, can you be compelled to testify against yourself?", would have found that, while you can't 'plead the fifth' and refuse to testify, the Canadian Charter of Rights and Freedoms provides that (confirms a long standing rule, actually) that there's a right to not be self-incriminated as the result of testimony you give, except when the prosecution is for perjury or for the giving of contradictory evidence, even when the testimony is from civil cases - effectively the same protection as the American Fifth.
https://www.bennettjones.com/Publications/Updates/Avoiding_Self-Incrimination_in_Canada
"Sectio n 13 of the Charter states: “A witness who testifies in any proceedings has the right not to have any incriminating evidence so given used to incriminate that witness in any other proceedings, except in a prosecution for perjury or for the giving of contradictory evidence.” The Supreme Court has described this protection as a quid pro quo: a witness is compelled to give evidence, even if that evidence may incriminate him or her, on the condition that the evidence will not be used to establish his or her guilt. Of critical importance for U.S. counsel to recognize on their clients' behalf is that this bargain is different from that in the United States, where witnesses may rely on the Fifth Amendment to the U.S. Bill of Rights and refuse to testify."
There is an exception for a prosecution for perjury or for the giving of contradictory evidence (even when the testimony is from civil cases).
[ link to this | view in thread ]
So I wonder...
I wonder if they take into account two-factor authentication? Password correct but camera did not detect face or voice not recognized so now everything is gone... well they did get your password.
What if you forget your password? Can they punish you now for bad memory? What if the person has Alzheimers?
Would they force you to write your passwords down on yellow sticky notes in the future and to make it easier to remember: "you must keep your password below 8 letters with no capital letters and no numbers or special characters."
My dad would probably be very happy about this.
[ link to this | view in thread ]
Re:
Can a court legally compel a defendant to violate the law?
If so, is the defendant given immunity relative to said violation as a condition prior to capitulating?
[ link to this | view in thread ]
Besides, just because there is a law or a court order doesn't mean that the defendant is going to unlock or decrypt the device because it still boils down to pressuring someone to decrypt their device. If they don't want to do that, they aren't going to do that.
[ link to this | view in thread ]
Re: So I wonder...
[ link to this | view in thread ]
Would it be realistic to propose a solution where the government must provide a specific, detailed warrant describing precisely what they're looking for and where they expect to find it (i.e., what they're supposed to do all the time) but accompanied by immunity from prosecution for anything else that might be on that phone that doesn't exactly match the warrant?
I'm definitely not a lawyer or Constitutional expert... but considering the fact that these devices really are massively personal supercomputers with practically our whole lives stored inside them, would that be a somewhat realistic compromise, a sort of way to bring the much-vaunted "All Writs Act" into the modern era? It certainly seems more reasonable than the "compromise" they seem to be offering, namely the "this cell phone is a locked door and we have the right to open doors with a warrant" argument.
[ link to this | view in thread ]
If they refuse then why would they expect anyone else to be that selfless?
[ link to this | view in thread ]
Mass Spying Is Always Aimed at Crushing Dissent
No matter which government conducts mass surveillance, they also do it to crush dissent, and then give a false rationale for why they’re doing it.
http://www.globalresearch.ca/500-years-of-history-shows-that-mass-spying-is-always-aimed-at-crush ing-dissent/5364462
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: So I wonder...
[ link to this | view in thread ]
New Feature idea
The system can have TWO (or more) passwords. The real one and zero or more Fake passwords.
You use the real password in every day use.
You give the fascist tyrant police state dictators one of the fake ones. When the fake one is entered, all that you can see are a few apps, uninteresting contacts (grocer, dog groomer, hospital, etc) and uninteresting data.
Another fake password could be configured by the user so that upon first use, it destroys the real data and the real password.
If pressured you could give the fascist tyrant police state dictators more than one fake password.
[ link to this | view in thread ]
Re: New Feature idea
[ link to this | view in thread ]
This will get interesting.
Now what do they do? Does the government make such a lock screen illegal? Does Bricking your device become a new illegal activity? How far are they going to push?
[ link to this | view in thread ]
Re: This will get interesting.
[ link to this | view in thread ]
Re: This will get interesting.
If you delete evidence you could be charged with contempt.
[ link to this | view in thread ]
Re: Mass Spying Is Always Aimed at Crushing Dissent
[ link to this | view in thread ]
Re: Re: This will get interesting.
[ link to this | view in thread ]
[ link to this | view in thread ]
Why does Techdirt insist on pushing this narrative that Canadians have no (or substantially weaker) constitutional protections?
Just because our constitutional rights are not phrased in exactly the same way or have not been intepreted in the same way as US constitutional rights doesn't mean they don't exist. But every time something like this comes up, Techdirt takes this surprised tone, like the fact that Canada has a constitution at all is shocking.
Particularly ironic considering US courts have allowed exactly this kind of thing to happen, while no Canadian court ever has. (Allain Phillipon doesn't count - he plead guilty and the trial was never heard by a court).
[ link to this | view in thread ]
Different Culture
Of course it doesn't make this right. Canadians need to fight tooth and nail to keep the destructive oppressive influence of the US out.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: This will get interesting.
Techdirt: According To The Government, Clearing Your Browser History Is A Felony
Sarbanes-Oxley's rules about preservation of evidence apply to everyone. The law forbids the destruction of evidence, regardless of personal knowledge of ongoing investigations, or even if no investigation has even commenced. It doesn't even have to be willful destruction.
"It was used to bring additional charges against David Kernell, who hacked into Sarah Palin's email account. The actual hacking resulted in misdemeanor charges. The cleanup processes deployed by Kernell (clearing browser cache, running a disk defragmenter, deleting downloaded photos) were treated as felony obstruction of justice under Sarbanes-Oxley. When these actions occurred, Kernell wasn't under investigation."
If those actions are felony obstruction of justice, it's a safe bet that willfully bricking your device is too.
It could even happen in say, copyright lawsuits. Prenda Law cried "destruction of evidence" when they sued someone for copyright infringement. The victim dutifully turned over his computer to prove otherwise. Prenda found no evidence, so they declared the his registry cleaner to be "proof" that he was destroying evidence.
[ link to this | view in thread ]
What's all the fuss?
[ link to this | view in thread ]
Re: Re: Mass Spying Is Always Aimed at Crushing Dissent
Most of these laws that are supposed to be used against criminals have been well documented of being abused to go after protesters, dissenters, or anyone those in charge just plain does not like.
Be they porn industry actors, gun sellers etc.
[ link to this | view in thread ]
Re: Re: So I wonder...
They could in the US. "Failure" to remember password.
They have to be able to prove contempt, or prove a lie.
I don't know about Canada, but you can be criminally punished for "failure" to do things in the US, intentional or not.
[ link to this | view in thread ]
Re: 'You first'
Consider public safety minister Vic Toews in the previous Conservative government, who introduced the "Protecting Children from Internet Predators Act." A massive attack on privacy and the presumption of innocence, the bill did not mention children or internet predators other than in its title.
When faced with opposition, Toews declared that you could "either stand with us or with the child pornographers."
Which is when someone started tweeting details of the safety minister’s messy divorce (Mr. Toews, once called the "minister of family values" and in his 50s, fathered a child with his teenage babysitter) gleaned from publicly available court records. The tweets also detailed his spending of public money.
Needless to say, he considered THAT to be an unjustified and invasion of privacy.
[ link to this | view in thread ]
Re: Re: So I wonder...
[ link to this | view in thread ]
"We'll know it when we see it."
Following on the above, assuming they knew exactly what they were looking for, and assuming they did only use the one specific thing they were looking for, you'd still be in a position where you'd be forcing someone to provide incriminating evidence against themself, something that's (theoretically at this point) not allowed in the US, and apparently somewhat similar in Canada, where you can be forced to provide self-incriminating evidence but it can't be used against you outside of perjury and similar charges.
[ link to this | view in thread ]
Re: Re: 'You first'
My comment was along the lines of 'this is how it should be', where those pushing for a law are the first to experience it themselves, rather than being completely immune, as I imagine were the legal system that way a lot less stupid and/or unjust laws like this one would be proposed or passed.
[ link to this | view in thread ]
Plausibly-Deniable Passwords
The downside is, you can’t be sure when you’ve made a mistake either.
[ link to this | view in thread ]
Re: Re: 'You first'
[ link to this | view in thread ]
Re: Re: 'You first'
[ link to this | view in thread ]
I forgot it!!
After all, if I don't write 'em down, there is no way I could remember even 5% of my passwords.
I'd have zero shame claiming I forgot the password.
I could even embellish it with "I just reset my password and did not have time to write it down."
Question is, would the kangaroo kourts of Kanada accept such a defense, or have they already decided that cell-phone owning suspects all have eidetic memories?
---
[ link to this | view in thread ]
Self destruct?
New hidden App, give the authorities a password that will wipe all memory? Shouldn't be to difficult.
[ link to this | view in thread ]