Canadian authorities presently use a multitude of ways to preserve and access the subscriber data that is retained by social networking companies. A core challenge faced by authorities revolves around the jurisdiction of the companies: when the companies are based in the United States it can be more difficult to gather pertinent information than from companies that are clearly within Canadian jurisdiction. In what follows we identify some of the strategies that are employed by authorities to preserve and produce information held by social networking companies.
Authorities issue preservation orders to get companies to preserve data that relates to a policing investigation. Of the companies that have publicly available law enforcement guides for authorities, we have found these companies have established retention policies. This means that the companies have mechanisms in place to cooperate with authorities that submit preservation orders. (For more about the law enforcement guides, see our resources page.)
Canadian authorities sometimes issue preservation orders on account(s) associated with policing investigations or actions. Most companies will, when ordered, preserve data for 30 to 90 days. During this time authorities are expected to collect court issued documents that authorize the disclosure of preserved information to public agencies. Authorities can submit preservation orders without court documentation.
Canadian digital forensics investigators are trained to immediately issue preservation orders to social networking companies at the beginning of their investigations if they anticipate that data might be needed to aid an investigation. While authorities routinely issue preservation orders, these orders are not always followed up with the production orders needed to receive preserved information.
Production orders compel private companies to deliver or make available information to authorities. Canadian production orders involve judicial oversight/authorization and can only be sought and issued by authorities. Currently, production orders are issued on a provincial basis in Canada, and are therefore authorized by provincially based judicial authorities (judges, justice of the peace). Even though judicial assent is required, they are considered less intrusive than search warrants as they do not let law enforcement officials enter and search the premises of the third party--yet their result is effectively the same.
These orders are often referred to as the Canadian equivalent to the US Administrative Subpoena because the orders compel organizations to produce and disclose information to law enforcement officials. Notable differences remain between Canadian Production orders and US Administrative subpoena, however.
Our research found that many social networking companies will disclose basic subscriber information when presented with a Canadian production order. With a production orders, Canadian authorities tend to receive IP logs, mobile device or location information (if it is attached to the account), account username, as well as information about the Internet service provider (e.g. Rogers, Bell, Teksavvy) used to access with the account. Investigators will typically then file another production order with the ISP that was used to access the account to get basic subscriber information (e.g. billing information, mailing address, Internet Protocol address(es) assigned to the subscriber).
American-based social networking companies have varied responses to Canadian production orders. Twitter is non-responsive to Canadian-issued production orders. Google, on the other hand, will respond to production orders that comply with the company’s lawful access policy. This policy honours court documents that have been issued in the host-jurisdiction of the requesting authority. Similarly, Facebook Canada will comply with production orders served on the company by Canadian authorities.
A Mutual Legal Assistance Treaty (MLAT) facilitates cross-border (international) policing actions. In essence, MLATs are treaties between different countries that outline how they will help one another during investigations where two, or more, legal jurisdictions are involved. The MLATs that Canadian authorities use to compel information from American social networking companies typically ask American law enforcement officials to get a local court order and serve it on the company that holds the sought after data. As an example, if Canadian authorities want data that is held by Google, the Canadians could request that American authorities obtain a production or search order to subsequently serve on Google. Data would then be provided to the American authorities and then subsequently sent through government channels to their Canadian counterparts.
Canadian authorities will immediately turn to an MLAT if they are investigating a serious crime (e.g. homicide). MLATs can take a long time to process, however, and so it typically takes Canadian authorities a minimum of 6-8 months to receive data. Sometimes they never receive information because of delays in bureaucratic channels.
Because MLATs require significant amount of bureaucratic work and can be slow to return data to authorities, these treaties are sometimes shunned in favour of open source intelligence and evidence gathering techniques. If it is possible to acquire data without pursuing bureaucratic protocols Canadian authorities are incentivized to do so.
Social networking companies employ their own legal counsel to examine the proportionality of the authorities’ requests for subscriber data according to a general (and non-legally binding) standard of a reasonable expectation of privacy. In our interviews we have learned that Facebook, for instance, reviews MLATs on the basis of its subscribers’ reasonable expectations of privacy. In contrast, Canadian law enforcement officials have stated that most Canadian ISPs are reluctant to employ legal counsel or trained security analysts to maximally protect their subscribers’ privacy since the scale of responding to such requests might be simply too cumbersome.