Reframing the Metadata Debate with Privacy Preserving Lawful Access Technologies (PPLATs)
Student Writer, Windsor Law LTEC Lab
On September 19, 2018, Windsor Law LTEC Lab had the pleasure of hosting Professor Lisa Austin (University of Toronto, Faculty of Law), a leading expert in privacy law, property law and public law. Professor Austin is the co-founder of IT3 Lab, a multidisciplinary lab that works to improve technological transparency in a variety of areas. Austin presented a current project with IT3 Lab, which focuses on tackling the issue of lawful access to metadata. Austin and her colleagues  are developing computer science and policy-oriented methods of preserving privacy while simultaneously ensuring that law enforcement efforts are not hindered.
What is Metadata?
To put it simply, where the contents of a communication are the words of a text message, transmission metadata may include the time it was sent and received, the phone numbers that sent and received it and the locations of those phone numbers. Subscriber information is yet another category of metadata, and this may include the phone plan you are on, your billing address, your name and ultimately, your identity.
Section 8 of the Canadian Charter of Rights and Freedoms sets forth the constitutional framework for lawful access to data, guaranteeing that “[e]veryone has the right to be secure against unreasonable search or seizure.” In Hunter v Southam, the Supreme Court of Canada held that the state must obtain authorization – such as a warrant – prior to accessing information for which there is a reasonable expectation of privacy. The standard for the issuance of a warrant is that of “reasonable and probable grounds” of believing “that an offence has been committed and that there is evidence to be found at the place of search.” As a result of Southam, the government and law enforcement authorities have attempted to afford different privacy standards to different categories of data – content receives the gold standard of privacy protections, whereas metadata often receives less protection. The metadata debate is therefore about the terms under which the state, in its efforts to ensure public safety, can get access to communications metadata and whether metadata ought to be given more privacy protections due to the level of private information it might reveal about an individual.
In R v Spencer, the Supreme Court unanimously decided that subscriber information stored by a telecommunications company accords a reasonable expectation of privacy. The effect of these two judgments combined is that the state must obtain a warrant prior to accessing subscriber metadata. Did Spencer put an end to the metadata debate? Not quite. There have been attempts to legislate around the decision, with the RCMP stating that they need warrantless access to subscriber metadata. The state continues to request warrantless access to metadata. Additionally, the Cybercrime Working Group has offered interpretations of Spencer that enable potential workarounds.
Access to Metadata Is Not Necessarily Less Invasive Than Content
Professor Austin and her colleagues reject this categorical approach. Instead, they argue that the degree of privacy attached to communications metadata depends upon the context of its use by law enforcement authorities rather than on this abstract, categorical notion of the nature of that information. To be clear, metadata is not necessarily less invasive than content. It reveals who you are and where you called from. You can imagine that a phone call to an abortion clinic is quite revealing, regardless of what was said. The mere fact that you called can matter even more than what you actually said. Yet, it is precisely these forms of metadata that receive less privacy protections than content. Simply put, the outdated categorical approach is not sensitive to modern privacy concerns because it does not inquire about the ways in which the requested data may be used. Will it be used to identify individual suspects? Will it be used for purposes beyond the current investigation? These and other questions are considered when examining data from its use context rather than its categories. The following examples demonstrate some of the tech-oriented solutions that Professor Austin and her colleagues have developed.
Preserving Privacy During “Cell Tower Dumps”
In investigating a crime, law enforcement authorities may need to determine the number of people that were at the scene of the crime at the relevant time. They may require access to a record of every individual phone number that connected to a particular cell tower. From a technical perspective, they do not require access to any personally identifiable information in making these determinations. Professor Austin and her colleagues propose the following protocol:
Law enforcement authority requests service providers to find all the metadata and encrypt it.
Proximity analysis is done on the encrypted data to determine the number of individual cell phone numbers that meet their investigative criteria.
Law enforcement body is provided with this number.
This number is then independently verified in order to ensure that the process and the outputs are correct.
Law enforcement authority can then seek a warrant to get the identities of these individuals, subject to satisfying the Southam
The system performs its own analysis rather than allowing the law enforcement body to analyze the data at their behest. When asked about the number of people present at a particular location at a particular time, the system would analyze the data and answer only this question without revealing any personally identifiable information. As a result, a warrant is unnecessary at this point. A warrant could then be granted – meeting the Southam standard – to ascertain information about individuals, provided that the number of people at the location is reasonably small. High numbers of people at the location would be too speculative whereas low numbers more likely meet the reasonable and probable grounds test.
But what if time is of the essence and the law enforcement body needs information immediately? Do we throw privacy rights out the window, even for a brief period of time?
Auditing Exigent Circumstances
During “exigent circumstances,” law enforcement authorities can forego the requirement of a warrant in order to access data quickly. This is otherwise referred to as “warrantless access.” However, the service providers from which the police request the metadata are weary of handing over entire swaths of information about their customers, especially when they are not convinced that police have properly invoked the exception. Therefore, service providers find themselves acting as gatekeepers and engaging in these exercises of judgment, often denying such requests. While these exercises of judgment can help protect the privacy of their customers, they undermine the ability of law enforcement bodies to react quickly in real emergency situations. The exigent circumstances exception exists to allow police to have that timely access to data.
Professor Austin and her colleagues developed a protocol for addressing this issue that removes this discretion and hands over the metadata, but checks for abuse afterwards. In order to do so, service providers would be directed to initially accept law enforcement’s legal authority to determine the existence of exigent circumstances. This helps to address both the timeliness and the discretion issues. Austin et al. propose the following:
When law enforcement body makes an exigent circumstances request, they would also make a separate report to an independent auditor.
After fulfilling the request, the service provider would make a report to the same independent auditor.
The two reports would be checked against one another by the independent auditor, and any potential discrepancies between the two reports would be further investigated by the independent auditor.
The independent auditor would prepare annual transparency reports that provide further details on exigent circumstances requests.
The Idea That Metadata Invokes a Lesser Privacy Right Is Not Suited to the Digital Age
MIT Computer Science Professor Daniel Weitzner has said that metadata is potentially even more revealing than actual content because it is “much easier to analyze the patterns in a large universe of metadata and correlate them with real-world events than it is to go through a semantic analysis of all of someone’s email and all of someone’s telephone calls.” Indeed, the idea that metadata invokes a lesser privacy right is not suited to the digital age. These protocols demonstrate ways in which computation can be utilized to safeguard privacy while simultaneously improving both transparency and accountability. The computer science and policy-based protocols developed by Austin et al. may be the privacy solution that many are awaiting. Ultimately, the merit of these solutions is that they may improve privacy protections in the context of law enforcement activities without necessitating a change to existing laws.
*This is a summary of the main ideas presented by Professor Lisa Austin at a seminar organized by Windsor Law LTEC Lab on September 19, 2018. I thank Professor Lisa Austin for sharing her presentation and other materials with me. All errors are mine.
 Other than Professor Austin, IT3 Lab’s “Lawful Access” Project comprises the following members: Andrea Slane (University of Ontario Institute of Technology, Faculty of Social Sciences and Humanities);Ian Goldberg (University of Waterloo, Cheriton School of Computer Science); Michael Vonn (Policy Director, British Columbia Civil Liberties Association); David Lie (University of Toronto, Electrical and Computer Engineering); and Gerald Penn (University of Toronto, Computer Science).
 Hunter v Southam,  2 SCR 145 at 168 [Southam].
 R v Spencer, 2014 SCC 43 at para 16 [Spencer].
 Jim Bronskill, “RCMP need warrantless access to online subscriber info: Paulson”, Canadian Broadcast Corporation(25 Nov 2015), online: <https://www.cbc.ca/>.
 The Cybercrime Working Group (CWG) is a subcommittee appointed by the Coordinating Committee of Senior Officials’ (CCSO) Criminal Justice division to study various cybercrime-related matters such as cyberbullying and lawful access in order to make recommendations to a number of government departments based on its findings. Recently, they hosted a roundtable discussion, which included a number of government agencies, in order to discuss the impact of Spencer.
 Austin et al are currently developing the technical means by which this verification process would occur. The aim of this step of the protocol is to ensure that the process has been followed correctly.
 Please see Professor Weitzner’s interview with the Washington Post:Ellen Nakashima, “Metadata reveals the secrets of social position, company hierarchy, terrorist cells”, The Washington Post(15 June 2013), online: <https://www.washingtonpost.com/>.