#CyberFLASH: Ottawa has little regard for protecting privacy rights when it comes to national security

1297658073661_ORIGINALOTTAWA — The federal government has scant regard for privacy rights when it comes to national security, according to the federal privacy commissioner’s new annual report.

Tabled in Parliament Tuesday, it reveals:

• Only two of the 17 departments and agencies with power collect personal information from other federal entities under the new Security of Canada Information Sharing Act (SCISA) believe privacy impact assessments (PIAs) are necessary. The assessments are designed ensure privacy protection is a core consideration and are required under government policy for any new or substantially modified government programs and activities involving personal information.

The act, created under the Anti-terrorism Act of 2015, formerly Bill C-51, allows 111 departments and agencies to share information, including citizens’ personal data, with 17 departments with national security responsibilities. The information must be “relevant” to the recipient’s jurisdiction in relation to “activities that undermine the security of Canada.” The intent is to persuade bureaucrats to share information so authorities can better connect the “dots” of potential national security threats.

The act has been used 110 times between Aug. 1, 2015, when it became law, and Jan. 31, by the Canada Border Service Agency (CBSA), RCMP, Canadian Security Intelligence Service, Immigration, Refugees and Citizenship Canada and Global Affairs Canada.

When privacy concerns about SCISA were raised last spring as C-51 made its way through Parliament, then-public safety minister Steven Blaney attempted to placate critics by insisting PIAs would be the norm.

• Thirteen of the 17 departments and agencies with national security responsibilities collected or shared information under “very broad” pre-existing legal authorities, including common law, because the Conservative government did not create detailed new legal authorities spelling out permitted collection and disclosure of information for national security.

Read more here

#CyberFLASH: Cyberattack on biometric data poses security risks at border, documents warn

canada-refugee-processing-fingerprintsOTTAWA—Border officials warn a cyberattack on their facial recognition or fingerprints databases could result in barring innocent travellers from Canada — or letting the wrong people in.

In documents prepared for Public Safety Minister Ralph Goodale in November, Canada Border Services Agency officials said they need to “keep pace with emerging security vulnerabilities” to systems governing who can enter the country.

The agency’s growing use of “biometric” data — such as fingerprints, facial recognition, and retinal scans — was cited as an example.

“A malicious cyberattack, for example, could infiltrate the back-end of a biometric identification system and produce false acceptances and/or rejections,” reads the document, obtained by the Star under access to information law.

“Such attacks could disrupt border traffic flows and compromise the integrity of border controls. CBSA must protect Canadians from increasingly complex safety and security threats and continue to advance security monitoring in all technologies.”

Read more here

#CyberFLASH: Fined for not giving up phone password at border

160815_iy0oi_rci-cell-phone_sn635Canadian Alain Philippon was fined $500 for refusing to give border guards at an eastern Canadian airport the password to his cellphone. Philippon originally said he would fight the charge of hindering or obstructing border officials. But today his lawyer entered a guilty plea in court.

Constitutional protections exist, but…

Canadians would be wrong if they thought they did not have to give border guards their phone passwords because of guarantees in the Canadian Charter of Rights and Freedoms. Indeed Section 8 guarantees “the right to be secure against unreasonable search or seizure.”

In fact, an individual has no obligation to give a cellphone password to police under the charter’s right to remain silent. And a police officer would need a warrant from a judge to search a personal computer or phone. But border guards are different.

‘A reduced expectation of privacy’ at borders

“When people are crossing the border, courts have long accepted that we have a reduced expectation of privacy,” said Josh Paterson, executive director of the BC Civil Liberties Association to CBC news. “Custom agents are able to search our bags, are able to search our goods, see if we’re bringing things back over the limit if we have contraband, weaponry, these kinds of things.”

Read more here

#cyberFLASH: Biometric facial screening coming to Canadian borders

160108_no0lk_rci-m-face-1_sn635Canada’s border agency plans to join several other countries and begin using facial recognition technology at entry points.

The idea is to compare video images of people arriving at border points against those on criminal data-bases and so-called “watchlists” in an effort to keep out alleged terrorists and criminals. It would also prevent people who have been deported from trying to regain entry using false documents under a different name.

The Canadian Border Services Agency (CBSA) has been working with the University of Quebec and other developers to determine how well the technology works under various lighting and crowd movement situations in extracting information from video images.

The technology will be tested at various locations in an operational context although apparently no trials involving actual travelers has yet taken place. It could eventually be installed at US-Canada border points and at international airports.

The technology has already been assessed by the CBSA in settings such as video footage of interview counter, hallways, waiting rooms and baggage pickup areas.

The federal privacy watchdog has issued a cautionary note to the CBSA that there is a possibility of “false positives” and that it could cause undue scrutiny of innocent travelers.

Read more here

#CyberFLASH: New airline passenger vetting could amount to racial profiling: watchdog

CPT500317455_highThe federal border agency’s new system for scrutinizing incoming air passengers could open the door to profiling based on race or other personal factors, warns Canada’s privacy czar.

Privacy Commissioner Daniel Therrien is pressing the Canada Border Services Agency to explain the program’s rationale and build in safeguards to protect civil liberties.

Canadian law requires commercial airlines to provide the border agency with specific information about passengers flying to Canada, including name, birthdate, citizenship, seat number and other data.

For years the border agency has used the information to try to zero in on terrorists or other serious international criminals. Travellers are assessed for risk, allowing the agency to single out those with high-risk scores for closer examination at the airport.

The border agency is moving to a system known as scenario-based targeting, already used by the United States, as part of Canada’s commitment to work closely with Washington under a perimeter security pact forged in 2011.

The border agency says the new scheme will be more efficient, effective and accurate, directing the focus to a smaller segment of the travelling population who represent a potential high risk.

The new scenario-based method uses Big Data analytics — extensive number-crunching to identify patterns — to evaluate all data collected from air carriers, says Therrien’s office, which reviewed the border agency’s privacy impact assessment of the project.

Read more here

#CyberFLASH: Report Implores Canadian Internet Providers to be More Transparent About Protecting Consumer Data


A new report authored by privacy experts suggests Canadian Internet providers “need to be much more transparent about how they protect their customers’ private information.”

The report found all providers have room for improvement, though smaller independent providers tend to be more transparent overall than their larger counterparts and for more visibly keeping domestic Canadian Internet traffic within Canada. Entitled Keeping Internet Users in the Know or in the Dark, the report was released today by IXmaps and New Transparency Projects.

However, Canadian ISPs are overall more transparent than the foreign carriers that handle domestic Canadian internet traffic, according to the report.

“We’ve just seen that in 99% of Canadian Border Services Agency’s requests for subscriber information, telecom companies have turned this sensitive data over without a warrant. Internet providers must be accountable to the Canadian public for how they handle our personal information,” says Andrew Clement, a University of Toronto professor who spearheaded the project alongside Dr. Jonathan Obar.

Read more here

#CyberFLASH: Ottawa has been spying on you


Telecommunications companies gave individual customer data to the Canada Border Services Agency over 18,000 times in one year.

This information includes the content of voice mails and text messages, websites visited and the rough location of where a cellphone call was made, according to government data.

For cases involving those types of requests, Canada Border Services sought a warrant for the information. But in the vast majority of releases, the agency asked for and received basic subscriber information without obtaining a warrant.

From April 2012 through March 2013, the agency asked telecoms for information 18,849 times. Of those, 99 per cent were for subscriber information that did not involve a warrant.

Telecoms handed over the data in all but 25 cases.

“I find that shocking,” said privacy expert David Fraser, a lawyer with McInnes Cooper in Halifax.

Read more here

International experts to debate how nations can tackle cyber threats


OTTAWA — Fears over digital threats to Canada’s critical infrastructure — concerns that may be misplaced — are fuelling an arms race that experts believe countries need to better control, especially after the discovery of a powerful online surveillance tool on a Canadian commercial server.

Federal law prohibits the sale or transfer of technology that would allow anyone to hack into a computer or network. Domestic law enforcement agencies, such as local police and the RCMP, are responsible for enforcing the law in Canada; the Canada Border Services Agency polices the import and export of such technology.

Read more here


© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.